Rumors about AD-Snapshots

I’ve recently heard /read some rumors about AD-Snapshots. As I wrote before in Timetraveling Active Directory the new feature of Active Directory in Windows Server 2008 – AD-Snapshots or “the Database Mounting Tool” (how Microsoft calls the technology) how to look at a snapshot / backup can help you recovering data from older states of your Active Directory. I’ve also spoken about this and demoed it in my “A Directory Services Geek’s View on Active Directory Recovery in Windows Server 2008″ which was so far presented at TechEd Europe 2007 in Barcelona, the German Windows Server 2008 Launch in Frankfurt, the Directory Experts Conference 2008 in Chicago, TechEd US 2008 in Orlando, and which will pre presented at ICE-Lingen (in Lingen [;)] at the end of August. I’ve also wrote articles about this in the IT-Administrator in March and April this year.

So some rumors:

  • a mounted Database will show you all partitions, however Microsoft only supports the domain partition, the other partitions are not supported.
  • As far as I know it is not supported to recover from snapshots at all, however it works but you have to script. As I mentioned the process is:
    1. Creating a snapshot with NTDSUtil (ntdsutil -> snapshot -> Activate Instance NTDS -> Create)
      or
      Backing up the systemstate (wbadmin start systemstaterecovery -backuptarget:s:)
    2. Mounting a snapshot in the filesystem (ntdsutil -> snapshot -> list all -> mount xyz)
      or
      Restoring the systemstate to an alternative location (wbadmin start systemstaterecovery –version:07/07/2008-14:41 –recoveryTarget:e:\recovery\)
    3. Starting the snapshot / restored NTDS.dit as Read-only directory (dsamain -dbpath c:\$snap…\ntds\ntds.dit -ldapport 10000)
    4. Reanimating the tombstone of the user(s) in question
    5. Getting back additional data out of the snapshot and into production using scripts or ldifde.exe, see my post about converting the LDIF: Converting LDIF-Files
    6. Fixing backlinks: This is not easily done using LDIFs. Remember that Backlinks are not writeable, so you have to retrieve the backlink, then update the forward-link in question. Using LDIFDE this would be hard to accomblish. Most of the time we mostly care about Group Memberships, then we can also use a one-line commandline:
    7. dsget user cn=Ulf,ou=Demo,dc=xyz,dc=com -s localhost:10002 -memberof 
      | dsmod group -addmbr cn=Ulf,ou=Demo,dc=xyz,dc=com
  • you could retrieve information from other partitions, but you’ll also have to script it and be aware that it’s not supported from Microsoft
  • One rumor I’ve recently read: Using ntdsutil to perform an authoritative restore without rebooting in Directory Service Restore Mode. This is also not supported. The only supported way to perform an authoritative restore is in DSRM. However I’ve talked to some of the developers, and they said it’ll work as long as you are rebooting instantly after performing the authoritative restore (to make sure that caches and everything is cleaned), so you can do it without DSRM (stopping AD, performing the non-authoritative and the authoritative restore, then rebooting the machine without restarting AD prior). However it’s not supported!!!!
  • There are tools out there to help you recovering from a snapshot:

If you speak German and you are unable to attend ICE you can see my session at the German Launchevent Online. If you attend ICE come there, the session has been updated [;)].



Leave a Reply


Network-wide options by YD - Freelance Wordpress Developer