Dsamain

 

Applies To: Windows Server 2008, Windows Server 2012, Windows 8

Exposes Active Directory data that is stored in a snapshot or backup as a Lightweight Directory Access Protocol (LDAP) server.

Dsamain.exe is a command-line tool that is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) server role installed. It is also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT). For more information, see How to Administer Microsoft Windows Client and Server Computers Locally and Remotely (https://go.microsoft.com/fwlink/?LinkID=177813).

To use Dsamain, you must run the dsamain command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

For examples of how to use this command, see Examples.

Syntax

dsamain /dbpath <filepath> [/logpath <path>] [/adlds] /ldapPort <number> [/sslPort <number>] [/gcport <number>] [/gcSslport <number>] [/allowUpgrade] [/allowNonAdminAccess]

Parameters

Parameter

Description

/dbpath <filepath>

Specifies the file path to the database file. <filepath> must point to the database file, which might be on read-only media, such as a mounted snapshot; in a backup; or on another server, such as a domain controller or an AD LDS server. The database must be in a consistent state; that is, the Extensible Storage Engine (ESE) logs must be replayed. If you run the Ntdsutil snapshot subcommand or if you run Windows Server Backup on a server running Windows Server 2008, the resulting snapshot or backup will be in a consistent state.

Note

A snapshot is a shadow copy of the volumes that contain the Active Directory database and log files. A snapshot is created by the Volume Shadow Copy Service (VSS).

/logpath <path>

Specifies the path to a writable folder where the log files are created. If the path is not specified, the TEMP folder is used.

/adlds

Opens an AD LDS database. You must specify this parameter if you are exposing an AD LDS database. You must not specify this parameter if you are exposing an AD DS database or if Dsamain fails.

/ldapPort <number>

Specifies the LDAP port value. Use this same port value when you use a tool such as Ldp.exe to view that data.

Note

LDP is a graphical user interface (GUI)-based utility that you can use for displaying the results of the LDAP operations.

/sslPort <number>

Specifies the Secure Sockets Layer (SSL) port value.

/gcport <number>

Specifies the global catalog port number. This parameter applies only to an AD DS database.

/gcsslport:<number>

Specifies the global catalog SSL port number. This parameter applies only to an AD DS database.

/allowupgrade

Allows an upgrade to the database file. This is useful for opening earlier versions of databases or snapshots. The file must be on writable media.

/allowNonAdminAccess

Allows nonadministrators to access data in the directory. If this option is not specified, only Domain Admins and Enterprise Admins from the target domain can access the data. Use this parameter to expose data from a domain that no longer exists.

quit

Returns to the prior menu.

Help

Displays Help for this command.

?

Displays Help for this command.

Remarks

  • For the dbpath parameter, you must specify a mounted snapshot or a backup that you want to view along with the complete path to the Ntds.dit file, for example:

    /dbpath E:\$SNAP_200704181137_VOLUMED$\WINDOWS\NTDS\ntds.dit
    
  • Only the LDAP port is required. If you do not specify the other ports, they use LDAP+1, LDAP+2, and LDAP+3, respectively. For example, if you specify LDAP port 41389 without specifying other port values, the LDAP-SSL port uses port 41390 by default, and so on.

  • You cannot specify ports that are currently in use. If you run the command on a domain controller, specify different ports than those that are used by the local domain controller, for example::

    dsamain /dbpath <filepath> /ldapport 51389 /sslport 51636 /gcport 53268 /gcsslport 53269
    
  • Include a space between the name of the parameter and the value that you specify.

  • All permissions that apply to the data in the snapshot or backup are enforced when you view the data.

  • By default, Dsamain allows only members of the Domain Admins and Enterprise Admins groups to view the sensitive data that can be contained in snapshots and backups.

Examples

The following example exposes the data in a snapshot $SNAP_200704181137 as an LDAP server, using LDAP port 51389:

E:\$SNAP_200704181137_VOLUMED$\WINDOWS\NTDS\ntds.dit /ldapport 51389

Additional references

Command-Line Syntax Key

snapshot