Creating and Restoring Active Directory Snapshots
Active Directory Snapshots are a tool you can use to query old Active Directory data. It’s not a complete backup system - but rather allows you to access older versions of your Active Directory. This would allow you to use other tools to perform disaster recoveries as needed.
Snapshots work like this:
- Create a job to create snapshots
- Mount a snapshot to an alternate port
- Connect to that alternate port and view your old data
To create a new snapshot we need to open Command Prompt as an administrator and run the following commands:
Activate Instance NTDS
I am using one of Server Academy’s IT labs that are provided to all of our members for testing purposes. These labs are perfect since I don’t have to worry about losing data. If I mess up all, I need to do is click a button to revert the lab and I have everything back within minutes.
I am going to open Active Directory Users and Computers and make sure I have Advanced Features enabled:
Next remove the deletion protection from an Organizational Unit by right-clicking the OU you want to delete, selecting properties, go to the Object tab and un-check Protect object from accidental deletion:
Im going to use an OU in my lab called Domain Groups. Once I remove the protection, I can right-click and delete the OU:
So now the OU is missing and I can get on to mounting the old snapshot:
We can use NTDS snapshotting to view the old data. Open CMD as an Admin again, and run the following commands:
This will return all snapshots
First we need to run the mount command followed by the snapshot we wish to mount. In this case I will be mounting snapshot 1:
This will output the directory where the snapshot is now mounted. Go ahead and exit the utilities by pressing Q until your back at the normal command prompt:
This mounts the old AD to the C drive:
The inside of that directory looks just like our C drive and it contains the Active Directory database file that contains AD information like user accounts, groups, and password hashes.
Now we are going to use a utility called dsamain (AD/DS/LDS offline data browser) to mount this older version (snapshot) of Active Directory to an alternative port that we can connect to and view. Open CMD as an Administrator and run the command below (be sure to change the path to your snapshot location):
dsamain /dbpath c:\$SNAP_202004061016_VOLUMEC$\windows\ntds\ntds.dit /ldapport 5000
We will see that the command completed successfully:
Note: You need to keep this window open in order for the old data to be accessible on the port you specified. If you close this command prompt window, you won’t be able to connect to the mount and view the old data.
Now in the Active Directory console, right-click your domain and select Change Domain Controller:
Select This Domain Controller or AD LDS instance, and type in the name of your server followed by the port number you specified with the dsamain command. In my test lab, the DC is “sadc01” and the port I specified was 5000.
Now I can view the old snapshot of Active Directory and view my old data. Keep in mind you can't edit any of the data - this is strictly read only data.
To delete the data, we can run the commands below:
Sign up to access the rest of this lesson
You must either log in or sign up to access this lesson.