1.Creating Active Directory snapshot #

Creating an Active Directory snapshot

The process of creating an Active Directory snapshot is reasonably straightforward:

Log onto a Windows Server domain controller

Launch an elevated administrator command prompt

Type ntdsutil and press enter

Type snapshot and press enter

Type activate instance ntds and press enter.

Type create and press enter.

The create command will return the following output:

Type quit and press enter to return to the ntdsutil menu, then type quit again.

A snapshot can also be created with a single line ntdsutil.exe command:

ntdsutil snapshot “activate instance ntds” create quit quit

The single line command can be used to automate the creation of Active Directory snapshots by putting it in a batch file and using Task Scheduler to automate its execution (with the appropriate credentials).

Once snapshots have been created they can be listed with the ntdsutil.exe list all command:



List all

Mount 1 (or another)

Mounting the snapshot

Using dsamain

dsamain /dbpath <path to database file> /ldapport <PortNumber>


Be sure to use a different port number then 389 as the default ( live database is using this number)

Once the snapshot is exported with dsamain.exe you can connect to the LDAP server which it hosts using the familiar suite of Active Directory tools such as Active Directory Users and Computers or ADSIEdit.  For example, to connect using Active Directory Users and Computers:

Launch Active Directory Users and Computers

Right-click Active Directory Users and Computers then click Change Domain Controller

Click <Type a Directory Server name[:port] here>, type the name of the Directory Server and port, press enter, then click OK


Active Directory Users and Computers is now accessing the snapshot data, and you will notice that the object attributes are read-only.


ADUC is good for browsing data to see the historic state which can be useful for looking at individual changes over time, but in my case I needed to restore attributes to a few hundred broken distribution groups.  I needed a method which would allow me to automate this recovery, and the cmdlets and provider included in the Active Directory PowerShell Module were perfect for what I wanted to do.

It includes a PowerShell provider for Active Directory, and many cmdlets for manipulating Active Directory objects.  It’s automatically installed on Windows Server 2012 R2 domain controllers and it can be installed as part of the Remote Server Administration Tools (RSAT) feature on Windows Server 2012R2 R2 or Windows 10.  To use the Active Directory PowerShell Module you must have at least one Windows Server 2012R2 R2 domain controller in your domain.

To launch the Active Directory PowerShell Module log onto a Windows Server 2012R2 R2 or Windows 10 machine, click Start, Administrative Tools, and Active Directory Module for Windows PowerShell.


As the Active Directory PowerShell module loads it will automatically connect a PSDrive to the ActiveDirectory provider, which gives the shell access to the live Active Directory instance.  It is also possible to connect a PSDrive to an Active Directory snapshot which is exported with dsamain.exe by using the New-PSDrive cmdlet and specifying the server and port on which the exported snapshot is running.  For example:

New-PSDrive -Name ADSnap -PSProvider ActiveDirectory -Root “” -Server server01.example.com:10389



Help Guide Powered by Documentor
Suggest Edit