Active Directory snapshots in Windows Server 2008 allow an administrator to either manually, or programmatically, create snapshots of the Active Directory database at a given time. With Active Directory snapshots, you can view the data inside such a snapshot on a domain controller without the need to start the server in Directory Services Restore Mode. These snapshots can be stored on the local hard disk of the Domain Controller (DC), or moved to an offline type of storage. You can read more about this topic on my “Working with Active Directory Snapshots in Windows Server 2008” and “Automating the Creation of Active Directory Snapshots” articles.
Overall, the process of creating and using the AD snapshot involves using the following procedure:
After learning how to create AD snapshots we will now focus on working with the information found inside these snapshots. We will do so by running a GUI-based tool such as DSA.msc, LDP.exe or ADSIEDIT.msc to attach to the snapshot’s LDAP port that you specified when you exposed the snapshot as an LDAP server. Then, you will be able to browse the snapshot just as you would with any live domain controller. You can also use command prompt-based tools such as LDIFDE or CSVDE to export information from within the snapshot. More on these command line utilities in my “Using CSVDE and LDIFDE to Export Information from Active Directory Snapshots in Windows Server 2008” article.
Note: Unlike in Windows Server 2003, LDP.exe and ADSIEDIT.msc are now included with Windows Server 2008, and you do not need to install the Support Tools like you did in previous versions.
Note that this data is read-only data, and by default, only members of the Domain Admins and Enterprise Admins groups are allowed to view the snapshots. However, like with all sensitive information, you must make sure that you safeguard the AD DS snapshots from unauthorized access just as you protect backups of AD DS. A malicious user who has access to the snapshots can use them to reveal sensitive data that might be stored in AD DS.
The main difference between using the following tools with an AD snapshot and using them on a live AD database is the port number. While you usually do NOT need to specify the default LDAP port (389) when connecting to a live AD database, you MUST specify the port number when connecting to the AD snapshot. The port number is the same as the one you used with the DSAMAIN and ldapport switch.
In all the following examples we will use port 10389. I have also created an OU called “Dev” in my test domain, and placed a few users in it. I’ve created a snapshot, and afterwards I have made some changes on the Dev users in the live AD.
Probably the easiest to use to visually see most of the needed information found in the snapshot. The benefit of using this tool in Windows Server 2008 is the fact that is now has some of ADSIEDIT’s functionality built in, allowing you to view almost all the attributes for objects in the AD Domain partition.
To use DSA.msc on an AD snapshot follow these steps:
The major benefit of ADSIEDIT.msc over DSA.msc is the fact that it can be used to connect to other AD partitions – the Configuration partition and the Schema partition, as well as to the Domain partition. It too allows for graphical browsing for objects and attributes.
Note: ADSIEDIT.msc is now included with Windows Server 2008.
To use ADSIEDIT.msc on an AD snapshot follow these steps:
As mentioned above, by using ADSIEDIT.msc you can see more than the Default naming context – the AD Domain partition. You can use it to also connect to the Configuration partition and the Schema partition.
Like ADSIEDIT.msc, LDP.exe can be used to connect to other AD partitions – the Configuration partition and the Schema partition, as well as to the Domain partition. However, the browsing for objects and attributes is done textually, which might be useful in some cases.
Note: LDP.exe is now included with Windows Server 2008.
To use LDP.exe on an AD snapshot follow these steps:
I will not go into great detail here, but as you’re probably aware, there’s a lot you can do with a good VBS script against an AD database. Because mounted and exposed AD snapshots are treated as read-only Active Directory databases, VBS scripts can be used to export any type of information you need from the snapshot.
It is beyond the scope of this article to give detailed examples of scripts, but I did find this nice script on Ken St. Cyr’s Blog (see links below) and thought I should share it. This script will go through each user account and export the samAccountName and displayName attributes to a TSV (Tab Separated Values) file which can be later used in Excel or a text editor.
See the code (note that the script uses port 10389, change that to whatever port you’ve used in your DSAMAIN command):
' NAME: export-attr.vbs
' DATE: 3/6/2008
' DESCRIPTION: Connects to a directory service provider on the specified
' port and exports a list of attributes for each user object
' in the directory to a tab-separated values file.
' AUTHOR: Ken St. Cyr
' Define our parameters
CONST LDAPPORT = 10389
CONST DCNAME = "localhost"
CONST ATTRIBUTES = "samAccountName,displayName"
CONST OUTPUT_FILE = "attribute_backup.tsv"
' Create the necessary objects for writing to a file
Dim objFSO : Set objFSO = CreateObject("Scripting.FileSystemObject")
Dim objFile : Set objFile = objFSO.OpenTextFile(OUTPUT_FILE, 8, True)
' Get the RootDSE for the directory on the port that we want
Dim objRootDSE : Set objRootDSE = GetObject("LDAP://" & DCNAME & ":" & _
LDAPPORT & "/RootDSE")
' Create the connection object for the AD provider
Dim objConnection : Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
' Define the search to execute
Dim objCommand : Set objCommand = CreateObject("ADODB.Command")
objCommand.CommandText = "<LDAP://" & DCNAME & ":" & LDAPPORT & "/" & _
objRootDSE.Get("defaultNamingContext") & ">;(&objectCategory=user);" & _
ATTRIBUTES & ";subtree"
objCommand.ActiveConnection = objConnection
' Execute the search
Dim objRecordSet : Set objRecordSet = objCommand.Execute
' Go through each result about output the attributes to a Tab-Separated file
While Not objRecordSet.EOF
Dim strSAMAccountName : strSAMAccountName = objRecordSet.Fields("samaccountname")
Dim strDisplayName : strDisplayName = objRecordSet.Fields("displayName")
objFile.WriteLine strSAMAccountName & vbtab & strDisplayName
WScript.Echo objRecordSet.RecordCount & " entries written to " & OUTPUT_FILE
Don’t forget to disconnect the AD snapshot and to unmount it after exporting the required data. See my “Working with Active Directory Snapshots in Windows Server 2008” article.
Got a question? Post it on our Windows Server 2008 forums!