AD

Recovering Data from Active Directory Snapshots

7th April 2019 /

The task of mounting the snapshots of the volumes that contain Active Directory seems a bit like magic. How can you get to the Active Directory data contained in those snapshots? The secret is the DSAMAIN command. This is the executable that runs ADLDS. It is essentially a standalone LDAP server that shares almost all of its code with ADDS. You can use DSAMAIN to make the mounted snapshots look like a read-only LDAP server containing the Active Directory data as it was at the time the snapshot was taken.

Consider this command:

C:\> dsamain –dbpath
c:\$snap_200712032318_volumed$\ntds\dit
\ntds.dit -ldapport 10000

This mounts the ntds.dit file located in the c:\$snap_200712032318_volumed$\ntds\dit folder and makes it available to LDAP operations on TCP port 10000 (or whatever open port you specify). DSAMAIN will open the LDAPS port (the port used for LDAP over Secure Sockets Layer) on the port you specified plus one (in this case, 10001), the GC port (the port used for global catalog connections) on the port you specified plus two (10002), and the GCS (Global Catalog over Secure Sockets Layer) port on the port you specified plus three (10003).

You can use any LDAP program (such as LDP) to access the mounted DIT on the specified port. But in Windows Server 2008, Active Directory Users and Computers (ADUC), Sites and Services, and Domains and Trusts, as well as ADSIEDIT, have all been modified to allow you to connect them to a DIT mounted using DSAMAIN. If you right-click on the top-level node in the navigation pane of any ADUC and select Change Domain Controller, you will see the dialog box shown in Figure 14. If you simply type the name or IP address of the server hosting the mounted snapshot, along with the port (in my example, localhost:10000), ADUC will connect to the mounted snapshot, allowing you to browse the contents of the directory as it existed at the time of the snapshot. Pretty amazing, isn’t it?

Figure 14 Connecting Active Directory users and computers to a mounted snapshot

Figure 14 Connecting Active Directory users and computers to a mounted snapshot (Click the image for a larger view)

Being able to access directory data in this way makes many kinds of data recovery tasks much easier than they used to be. For instance, to recover a deleted object from a backup formerly required that you perform a non-authoritative restore of the backup on an existing DC and then perform an authoritative restore of the deleted object. And if the backup you restored didn’t have the correct data, you had to start all over again with a different backup. Now, using tombstone reanimation and snapshots, you can quickly find and recover deleted data, and you don’t even have to take the domain controller offline to do it.

There are some limitations, however. For instance, each active snapshot increases the disk I/O associated with write operations to the directory, so you probably shouldn’t have more than one or two snapshots active at any point in time on a production DC. Also, the longer you keep snapshots active, the larger the Volume Shadow Copy Service delta store becomes—this can also affect performance. And, of course, simply recovering a deleted object is only the first part of the recovery problem. You will probably have to recover the object’s linked attributes, such as group memberships, as well. But even in this case, the snapshot can help you identify all the groups the deleted object was a member of.

Using ntdsutil to mount a snapshot

C:\> ntdsutil
ntdsutil: snapshot
snapshot: list all
 1: 2007/12/03:23:18 {42c44414-c099-4f1e-8bd8-4453ef2534a4}
 2:   C: {c0dd71ba-5bcd-4daf-9fbb-5cfbdd168022}
 3:   D: {2bbd739f-905a-431b-9449-11fba01f9931}
snapshot: mount 1
Snapshot {c0dd71ba-5bcd-4daf-9fbb-5cfbdd168022} mounted as C:\$SNAP_200712032318_VOLUMEC$\
Snapshot {2bbd739f-905a-431b-9449-11fba01f9931} mounted as C:\$SNAP_200712032318_VOLUMED$\
snapshot: quit
ntdsutil: quit

You take snapshots of ADDS or Active Directory Lightweight Directory Services (ADLDS) using the NTDSUTIL command, as shown here:

ntdsutil: snapshot
snapshot: activate instance ntds
Active instance set to "ntds".
snapshot: create
Creating snapshot...
Snapshot set {42c44414-c099-4f1e-8bd8-4453ef2534a4} generated successfully.
snapshot: quit
ntdsutil: quit


This sequence of NTDSUTIL commands creates a Volume Shadow Copy Service snapshot of the volumes that contain the Active Directory DIT, logs, and SYSVOL. Even though Active Directory is still being updated, Volume Shadow Copy Service uses a copy-on-write strategy to make sure that the snapshots you’ve taken are properly maintained. Note that the snapshots are not a complete copy of the DIT. They are really just a collection of disk blocks in the DIT that have been modified since the snapshot was taken. By combining these blocks with the current copy of the DIT, VSS can present the Active Directory DIT just as it appeared at the time of the snapshot. Figure 12 shows how to delete old or unneeded snapshots.

Delete unneeded snapshots

C:\> ntdsutil
ntdsutil: snapshot
snapshot: list all
 1: 2007/12/03:23:18 {42c44414-c099-4f1e-8bd8-4453ef2534a4}
 2:   C: {c0dd71ba-5bcd-4daf-9fbb-5cfbdd168022}
 3:   D: {2bbd739f-905a-431b-9449-11fba01f9931}
snapshot: delete 1
Snapshot {c0dd71ba-5bcd-4daf-9fbb-5cfbdd168022} mounted as C:\$SNAP_200712032318_VOLUMEC$\
Snapshot {2bbd739f-905a-431b-9449-11fba01f9931} mounted as C:\$SNAP_200712032318_VOLUMED$\
snapshot: quit
ntdsutil: quit
C:\>

Leave a Reply

Your email address will not be published. Required fields are marked *