Active Directory Snapshots using NTDSUTIL

In this post, I want to show you how you can use ntdsutil.exe to create snapshots of the Active Directory database and how you can use tools to examine its contents, either to compare or transfer objects without starting in Restore Mode Directory Services (DSRM)

Important:

  • Log on as a member of the Domain Admins group.
  • You must run NTDSUTIL from an elevated command prompt.
  • The ADDS service must be running to create a snapshot.

Create an Active Directory snapshot

To create a snapshot, use the NTDSUTIL tool with the following syntax:

NTDSUTIL create

You can also create a scheduled task to create snapshots on a regular basis.

List all available snapshots

You can view a list of all created snapshots on a domain controller by running the following command:

 NTDSUTIL snapshots

As you can see, each snapshot is identified by a GUID.

Mount an Active Directory snapshot

To mount a snapshot, take note of the GUID of the snapshot you want to mount and then run the following command:

NTDSUTIL mount

When the snapshot is mounted, take note of the path associated with the snapshot. You will use this path when connecting the snapshot using the DSAMAIN command-line tool.

Connect an Active Directory snapshot

To connect with the mounted snapshot you need to use the DSAMAIN tool with the following syntax:

dsamain

You can choose to mount the snapshot using any available TCP port number. Do not close the command prompt. As long as the DSAMAIN is running. After the snapshot is mounted, you can access it using Active Directory Users And Computers. To do this, perform the following steps:

  1. Open Active Directory Users And Computers.
  2. Right-click the root node and click Change Domain Controller.
  3. In the Change Directory Server dialog box, enter the name of the domain controller and the port you specified early.

mmc ldap

Now you can then view the contents of the snapshot using Active Directory Users And Computers in the same way that you would the contents of the current directory.

Unmount an Active Directory snapshot

To unmount a snapshot, first use Ctrl + C to close DSAMAIN and then run the following command to unmount the snapshot:

ntdsutil unmount

Delete an Active Directory snapshot

Finally, if you want to delete the created snapshot, use the following command:

ntdsutil delete

For more information about managing snapshots with NTDSUTIL, check out this link: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v%3Dws.11)