I’ve recently heard /read some rumors about AD-Snapshots. As I wrote before in Timetraveling Active Directory the new feature of Active Directory in Windows Server 2008 – AD-Snapshots or “the Database Mounting Tool” (how Microsoft calls the technology) how to look at a snapshot / backup can help you recovering data from older states of your Active Directory. I’ve also spoken about this and demoed it in my “A Directory Services Geek’s View on Active Directory Recovery in Windows Server 2008” which was so far presented at TechEd Europe 2007 in Barcelona, the German Windows Server 2008 Launch in Frankfurt, the Directory Experts Conference 2008 in Chicago, TechEd US 2008 in Orlando, and which will pre presented at ICE-Lingen (in Lingen [;)] at the end of August. I’ve also wrote articles about this in the IT-Administrator in March and April this year.
So some rumors:
- a mounted Database will show you all partitions, however Microsoft only supports the domain partition, the other partitions are not supported.
- As far as I know it is not supported to recover from snapshots at all, however it works but you have to script. As I mentioned the process is:
- Creating a snapshot with NTDSUtil (ntdsutil -> snapshot -> Activate Instance NTDS -> Create)
Backing up the systemstate (wbadmin start systemstaterecovery -backuptarget:s:)
- Mounting a snapshot in the filesystem (ntdsutil -> snapshot -> list all -> mount xyz)
Restoring the systemstate to an alternative location (wbadmin start systemstaterecovery –version:07/07/2008-14:41 –recoveryTarget:e:\recovery\)
- Starting the snapshot / restored NTDS.dit as Read-only directory (dsamain -dbpath c:\$snap…\ntds\ntds.dit -ldapport 10000)
- Reanimating the tombstone of the user(s) in question
- Getting back additional data out of the snapshot and into production using scripts or ldifde.exe, see my post about converting the LDIF: Converting LDIF-Files
- Fixing backlinks: This is not easily done using LDIFs. Remember that Backlinks are not writeable, so you have to retrieve the backlink, then update the forward-link in question. Using LDIFDE this would be hard to accomblish. Most of the time we mostly care about Group Memberships, then we can also use a one-line commandline:
dsget user cn=Ulf,ou=Demo,dc=xyz,dc=com -s localhost:10002 -memberof