Active Directory snapshots in Windows Server 2008 is a cool trick any IT pro should be aware of. By using this feature, you can either manually, or programmatically, create snapshots of the Active Directory database at a given time. These snapshots can be stored on the local hard disk of the Domain Controller (DC), or moved to an offline type of storage. You can read more about this topic on my “Working with Active Directory Snapshots in Windows Server 2008” article.
However, as I wrote on article above, Windows Server 2008 Active Directory snapshots only go half the way. They do allow you to see how the AD DB looked like at the moment of the snapshot creation, what objects existed and other type of information, however, out of the box, it does not allow you to move or copy items or information from the snapshot to the live database. I.e., you can “see” that a user called “John” exists in the snapshot, but you cannot drag and drop it to the live AD DB, not can you use any built-in GUI tool that I am aware of to perform that action. You can use tools such as LDP or other LDAP browsers to browse the offline (snapshot) AD DB. You can also use CSVDE or LDIFDE command line tools to export data out if it into CSV or LDIF files, but these need extra editing to be imported into the live AD DB, and in any case, they cannot be used in this manner to re-create deleted objects.
Note: You might want to read my “Recovering Deleted Items in Active Directory” and “Manually Undeleting Objects in Active Directory” articles for more information about re-animating deleted objects in Active Directory.
This is why a tool written by Fredrik Lindström has captured my eye, and I felt it’s well worth posting an article about it here. The tool, called “Directory Service Comparison Tool” (or simply DSCT) can be used to compare an Active Directory instance to a Windows Server 2008 Active Directory snapshot. Besides comparing the object, DSCT can also be used to reanimate deleted objects and populate them with information stored in the snapshot.
The main features of the application are:
- Display differences between objects in Active Directory and Active Directory snapshots
- Restore attribute values from snapshots to Active Directory
- Reanimate deleted objects
- Restore group membership during reanimation [new]
- Groups present in the snapshot memberOf field of the recently reanimated object are GUID matched between the two data sources. You will be able to restore membership even if a target group has been renamed/moved in Active Directory since the snapshot was taken.
DSCT acts as a DirSync client and gets the current state of the snapshot by retrieving a DirectorySynchronizationCookie. By supplying this cookie in the query against the DC only the changes that have been made since the snapshot was taken are returned in the form of a searchResultCollection. DSCT examines each object that is returned and looks for the presence of specific attributes and values to determine if the object has been modified, added or deleted since the snapshot was taken.
- .NET Framework 2.0
- MMC 3.0
- Data sources: Active Directory and a mounted Active Directory Snapshot (Windows Server 2008 feature)
Note: DSCT does not have to be installed on a Domain Controller, it can run on a separate machine.
First, make sure you have a working Active Directory you can connect to. Needless to say, you also need a mounted snapshot of the Active Directory. Read more about how to create and mount AD snapshots on my “Working with Active Directory Snapshots in Windows Server 2008” article.
The tool installs itself as an MMC snap-in. After you add it to an MMC window, open the Connection Settings dialog and connect to your DC and snapshot. Note that you’ll need to have the right servername, LDAP port (used when issuing the DSAMAIN command, see my article above), and, if necessary, the right credentials.
Note: As of September 2008, a bug in Windows Server 2008 causes the value of highestCommittedUsn for the snapshot will be greater than the corresponding value on the DC. This means that the snapshot appears more up to date than the DC from a directory synchronization perspective. Comparing the two data sources will not be possible until the DC highestComittedUsn value is either equal to or greater than the value in the snapshot. DSCT now offers a method of artificially raising the highestCommittedUsn on the DC when connecting to a newly taken snapshot.
No objects will be displayed in DSCT unless differences are detected between the DC and the snapshot.
Click the Resync button if you have just modified an object in Active Directory and want to compare it to its former state in the snapshot.
In order to reanimate deleted objects, if such an object is detected, it will be listed in the “Deleted” tab. By selecting the object you can easily restore it, plus group membership if applicable.
After reanimating the object, you can restore its attributes:
Recent Windows Server 2008 Forum threads
Got a question? Post it on our Windows Server 2008 forums!