Timetraveling Active Directory

When I posted about the Fine Grained Password Policies (aka Password Settings Objects) in the Active Directory of Windows Server “Longhorn” I’ve also got permissions to blog about a very exciting new feature in Longhorn – the possibility to create and access Active Directory “Snapshots”. So what is this feature?

In all previous Versions of Active Directory it had been very hard to:

  • determine which values a object had at a specific time before
  • determine which backup is the right one to restore in case of an Active Directory recovery
  • authoritatively restore objects in Active Directory
  • Figuring out and fixing Group Memberships (as well as other Forward-/Backlink-Relationships) after an authoritative restore

However – in Windows Server “Longhorn” you’ll get the possibilities to create Active Directory “Snapshots” (which is basically a Volume Shadow Copy of your Operating System and Active Directory Partitions – however it’s been made sure that the AD-Database is at a consistent state). Afterwards you are able to mount these snapshots into the file-system, and start a Read-Only LDAP-Service of this database (DIT-File). You can also start such a Read-Only LDAP-Directory from a previous backup whose files have been restored in a different place.

So how are we doing this?

First – let’s create a snapshot. The easiest way to do this is using ntdsutil.exe:

  1. On a Windows Server “Longhorn” Domain Controller, open the commandprompt and enter ntdsutil
  2. Enter Snapshot to go into the snapshot subcontext
  3. Hit ? to see all options, just for your information
  4. Now we need to select the directory of whom we want to create a snapshot – we could also use ADAM (called Active Directory Leightweight Domain Services in Windows Server “Longhorn”) – but in this case we care about Active Directory Domain Services, so enter Activate Instance NTDS
  5. Simply enter create, and a new snapshot is being created. Note the GUID which is being returned, we need this one later (but I show you a way how to retrieve it anyways).

OK – that was easy – now let’s mount the snapshot into the file system:

  1. Still in the subcontext snapshot in ntdsutil, examine which snapshots you have on your local system by typing list all. Now you get a list of all snapshots on the system.
  2. Now we want to mount a specific snapshot. First copy the GUID right next to the date/time of the snapshot you want to mount into the clipboard. Then type mount <GUID>. You get the message that the snapshot is being mounted to a directory C:\$SNAP_datetime_VOLUMEC$\.
  3. Navigate with Windows Explorer to this directory (if you don’t see it you have to change your folder options) and examine it’s content. You’ll see that it includes a full snapshot of the volume.

But we wanted to start up a own R/O Instance of Active Directory of this snapshots – there are no options in ntdsutil to do this. We need to use a different command: dsamain.exe

  1. Open up a new commandprompt
  2. Type dsamain.exe -dbpath:c:\$snap_timedate_volumec$\windows\system32\ntds\ntds.dit -ldapport:10000 -sslport:10001 -gcport:10002 -gcsslport:10003 (replace the path with the path of the ntds.dit in your snapshot, the portnumbers are up to you.
  3. The output should look as follows and inform you that the Active Directory Domain Services startup completed.

    Note that you don’t get back a prompt – whenever you decide you don’t need the new LDAP-Service anymore you’ll have to cancel it by hitting (Ctrl) + (C).

Now you can navigate in this “old version” of Active Directoy. I strongly hope and assume you are not in your production network right now – so make some changes you remember (such as changing a users properties, deleting something you don’t need anymore) – so that you have a possibility to see the changes between the two states of the Active Directory. In this example we’ll use simply ADSIEdit.msc to navigate the snapshot – you can use any other LDAP-Browser, script, tool which allows you to select other than default ports to navigate the LDAP-Directory.

  1. Start adsiedit.msc
  2. In adsiedit, use the Connect to… menu to specify your Active Directory Snapshot
  3. Now navigate the old version of Active Directory, and look for the changes you made.

After you are finished, you can stop dsamain with (Ctrl) + (C), then go into the ntdsutil-commandline. To unmount the snapshot you can type dismount <GUID>. If you can not remember which snapshots are mounted you can also use the list mounted command in this subcontext of ntdsutil.

AD-Snapshots is the first time ever Microsoft gives us such a important tool in our hands to enable us to do object-level or attribute-level recovery using simple scripts, or to select which objects to restore authoritatively. Previously you had to remember the distinguishedName of the objects you wanted to restore, or restart the DC without a network connection – figure out the DN-Path – then restart it in Directory Services Restore Mode again, and finally perform the authoritative restore. And remember – you can also do this against a Backup, so it’s a good way to figure out which is the best backup you want to restore in the case of a AD-Recovery.

Disclaimer: this blog post is about a beta-product which may change, I’ll try to update this blog-post if I recognize any changes.

Credits: Thank you Dmitri for this feature – you rock!

One Response to “Timetraveling Active Directory”

  1.   AJ Lambert Says:

    I just got done with the HOL. Id love for you to review it.


Leave a Reply