Win Server 2008 Directory Services, Active Directory Snapshots
The previous article of our series, looked at the the Database Mounting Tool, which was introduced in Windows Server 2008 for the purpose of loading backups of Active Directory created using any native or third-party methods that leverage Volume Copy Shadow Service (VSS). We described its benefits in recovery scenarios and listed several tools that can be employed to access historical data exposed in this manner. As we have mentioned, in addition to System State or volume-level backups, as well as copies of directory services database created using
ifm context of
ntdsutil command-line utility, it possible to mount point-in-time captures of a drive containing Active Directory generated via so called snapshots.
Learn the characteristics of Active Directory Snapshots, a new feature implemented on Windows Server 2008 domain controllers, as well as some third-party utilities to further simplify its use.
In this article, we will explore characteristics of this new feature implemented on Windows Server 2008 domain controllers in more details. We will also review a number of third-party utilities that further simplify its use.
Snapshots represent differences between a volume's current content and its state at the moment of their creation (encompassing changes to domain, configuration, schema, and application partitions residing in the NTDS.DIT file). Although ultimately the size of a snapshot depends on how dynamic the environment is and how long you decide to keep them active, due to their nature, snapshots are typically small andd can be initiated in the matter of seconds. To provide meaningful information, they must be paired up with the volume from which they originated. In addition, since they are based on the copy-on-write principle, they result in increased number of disk I/O operations, which might have negative impact on overall performance. It is also important to realize that snapshot can not be used for direct restore of Active Directory objects (for that you will need actual System State or critical volume backup). Their main appeal comes from an ability to easily generate and view Active Directory state at arbitrarily chosen intervals. In effect, they offer a convenient way to determine when a particular object has been modifed. This helps you identify a backup set most suitable for the restore and delivers extra auditing and change tracking benefits. For the same reason, they significantly simplify extracting any pertinent historical information that can be subsequently imported to an object recovered via tombstone reanimation or used to reverse undesired modifications. Take these factors into consideration when planning frequency and retention period of snapshots, to make sure that they not deliver only desired functionality but also have minimal impact on AD performance.
Snapshots are generated using the
ntdsutil command line utility launched either directly from the console or a Terminal Services sesssion of a Windows Server 2008-based domain controller. Once you are at the
Activate Instance NTDS. You also have an option of pointing to an AD LDS instance by specifying its name instead of
NTDS value). Next, switch to the snapshot context by typing
snapshot and follow by
create command. Shortly thereafter you should receive a notification stating that the snapshot set has been generated successfully. The message includes its unique GUID. To confirm, you can execute
list all from within the same context, which should provide the listing of all active snapshots (including the date and time they were created). Note that the same can be accomplished running the following from the command prompt, which comes handy when automating snapshot generation as a scheduled task:
ntdsutil "Activate Instance NTDS" snapshot create quit quit
Any active snapshots must be mounted before you can access it via DSAMAIN.EXE. This is done by invoking the
mount command followed by either an integer assigned to each snapshot (which can be determined by running
list all) or its GUID, resulting in the creation of a junction point, with the name generated by concatenating the word
$SNAP, date and time (in military format) when snapshot was generated and the target volume (e.g.,
$SNAP_200808082008_VOLUMEC$). That, in turn (as we explained in our previous article), determines the full path to the Active Directory NTDS.DIT file. This, in turn, becomes
$SNAP_200808082008_VOLUMEC$\Windows\NTDS\NTDS.DIT, assuming default placement of database and log files, and it gets associated with the
-dbpath switch when running the Database Mounting Tool.
After you complete browsing through the mounted NTDS instance and terminate the DSAMAIN.EXE, unmount the snapshot by calling
unmount command followed, as before, by either its integer identifier (which value you can determine by running
list mounted within the
snapshot context of
ntdsutil) or its GUID. Removal of snapshots that are no longer needed can be accomplished with the
delete command. For the full overview of
snapshot syntax, refer to Windows Server 2008 Technical Library.
Although snapshots significantly simplify handling unintended deletions or modifications of Active Directory objects (for the reasons we described earlier), the actual recovery still requires multiple steps, which might include rather involved tombstone reanimation and restoring its attributes. Fortunately, a variety of free third-party offerings can further streamline the restore process. Some of the more notable ones are listed below. (Note that commercially available software, such as UMove, is not included in this list.)
- Snapshot Recovery Tool from 1Identity - available as a free download containing the command line-based oirecmgr.exe utility, it provides ability to recover an object and restore its attributes from an LDAP instance loaded via Database Mounting Tool (this can be either an Active Directory snapshot or a NTDS.DIT file restored from a Volume Shadow Copy Service-compliant backup) to an arbitrary Windows Server 2008 domain controller. It is also capable of reanimating tombstones in both Windows Server 2003 and 2008 Active Directory environments. Note, however, that this option precludes simultaneous attribute recovery.
Although it has a dependency on .NET Framework 2.0, it can be executed remotely from a system running Windows XP Professional or Vista. Its command line syntax allows you to restore arbitrary number of objects, either by specifying their GUIDs via multiple
-oswitches or by storing them in a text file, which name gets assigned to the
-ofswitch) as well as attributes (in a comma-separated format. For example, the following command (executed directly from the console of a domain controller
USDC-NYC001) would reanimate deleted user object with GUID of
7abadaba-daba-d000-0d15-c015deadand restore its attributes, populating both forward and back links, such as user's group membership, by extracting relevant information from an Active Directory snapshot accessible via port 33389. Reanimating tombstoned user accounts does not reinstate their passwords, which will need to be reset before you enable them since, by default, they are disabled following the restore:
oirecmgr.exe -o 7abadaba-daba-d000-0d15-c015dead -sh USDC-NYC001:33389 -ol -real
- Directory Service Comparison Tool is supposed to provide similar functionality but via a graphical interface in the form of a Microsoft Management Console snap-in, which becomes available once you install freely downloadable setup program. This is available in both x86 and x64 versions. To configure it, select Datasource Settings... entry from the context sensitive menu of its node in the tree pane. In the resulting Datasource Settings dialog box, specify the name of a target domain controller and a server hosting a snapshot (or another VSS compliant restore) mounted using DSAMAIN.EXE, along with their LDAP ports, as well as the naming context you intend to compare. The pane window of the console is divided into three tabs, intended for the list of modifications, additions and deletions (respectively) that took place since the DSA-mounted LDAP directory services store has been created. Unfortunately, the tool's functionality is somewhat limited (at least as far as snapshots are concerned), due to a bug affecting highestCommittedUSN value recorded in Active Directory snapshots. Just as Snapshot Recovery Tool, this utility relies on .NET Framework 2.0 being installed, in addition to MMC 3.0, and can be installed on remote Windows XP Professional or Vista system.
- Active Directory Explorer from the Sysinternals team (Bryce Cogswell and Mark Russinovich) has a distinct position in this list since it provides its own capability to create snapshots, independent of the one introduced in Windows Server 2008 Active Directory and supported on all of its versions. Their content can be derived from an online Active Directory environment by connecting to one of its domain controllers or from a restored backup or VSS-compatible snapshot mounted using DSAMAIN.EXE utility. In addition, it is possible to store them for offline viewing in an arbitrary location. The intuitive graphical interface of AD Explorer simplifies browsing their content and includes search and comparison features.
If you are looking for more advanced features geared toward large corporate environments, such as automation, reporting or scripting, as well as support extending beyond strictly Windows Server 2008-based Active Directory deployments, you might want to consider commercial products such as Recovery Manager for Active Directory from Quest, UMove for Active Directory from UTools, or Active Administrator from ScriptLogic.
This concludes our discussion regarding Database Mounting Tool and related to it Active Directory snapshot functionality. In the next article of our series, we will take a closer look at new auditing settings, which are available when operating in environment running Windows Server 2008-based domain controllers.