Skip to main content
Jorge Bernhardt Jorge Bernhardt
  1. Posts/

Active Directory Snapshots using NTDSUTIL

·482 words·3 mins· 100 views · 5 likes ·
Active Directory Database dsamain.exe Microsoft Microsoft Windows

In this post, I want to show you how you can use ntdsutil.exe to create snapshots of the Active Directory database and how you can use tools to examine its contents, either to compare or transfer objects without starting in Restore Mode Directory Services (DSRM)

Important:>

Important: #

  • Log on as a member of the Domain Admins group.
  • You must run NTDSUTIL from an elevated command prompt.
  • The ADDS service must be running to create a snapshot.
Create an Active Directory snapshot>

Create an Active Directory snapshot #

To create a snapshot, use the NTDSUTIL tool with the following syntax:

ntdsutil.exe snapshot "Activate Instance NTDS" create quit quit
NTDSUTIL create
>

NTDSUTIL create
#

You can also create a scheduled task to create snapshots on a regular basis.

List all available snapshots>

List all available snapshots #

You can view a list of all created snapshots on a domain controller by running the following command:

ntdsutil.exe snapshot "list all" quit quit

NTDSUTIL snapshots
As you can see, each snapshot is identified by a GUID.

Mount an Active Directory snapshot>

Mount an Active Directory snapshot #

To mount a snapshot, take note of the GUID of the snapshot you want to mount and then run the following command:

ntdsutil.exe "activate instance ntds" snapshot "mount {GUID}" quit quit

NTDSUTIL mount
When the snapshot is mounted, take note of the path associated with the snapshot. You will use this path when connecting the snapshot using the DSAMAIN command-line tool.

Connect an Active Directory snapshot>

Connect an Active Directory snapshot #

To connect with the mounted snapshot you need to use the DSAMAIN tool with the following syntax:

dsamain.exe /dbpath C:\$SNAP_201909011401_VOLUMEC$\Windows\NTDS\ntds.dit /ldapport 50389

dsamain
You can choose to mount the snapshot using any available TCP port number. Do not close the command prompt. As long as the DSAMAIN is running. After the snapshot is mounted, you can access it using Active Directory Users And Computers. To do this, perform the following steps:

  1. Open Active Directory Users And Computers.
  2. Right-click the root node and click Change Domain Controller.
  3. In the Change Directory Server dialog box, enter the name of the domain controller and the port you specified early.
mmc ldap
>

mmc ldap
#

Now you can then view the contents of the snapshot using Active Directory Users And Computers in the same way that you would the contents of the current directory.

Unmount an Active Directory snapshot>

Unmount an Active Directory snapshot #

To unmount a snapshot, first use Ctrl + C to close DSAMAIN and then run the following command to unmount the snapshot:

ntdsutil.exe "activate instance ntds" snapshot "unmount {GUID}" quit quit

ntdsutil unmount

Delete an Active Directory snapshot>

Delete an Active Directory snapshot #

Finally, if you want to delete the created snapshot, use the following command:

ntdsutil.exe snapshot "list all" "delete 1" quit quit

ntdsutil delete

Thanks for reading my post. I hope you find it useful.

For more information about managing snapshots with NTDSUTIL, check out this link.