AD DS: Database Mounting Tool (Snapshot Viewer or Snapshot Browser)

Applies To: Windows Server 2008

The Active Directory® database mounting tool (Dsamain.exe) can improve recovery processes for your organization by providing a means to compare data as it exists in snapshots or backups that are taken at different times so that you can better decide which data to restore after data loss. This eliminates the need to restore multiple backups to compare the Active Directory data that they contain.

Note

During product development, this feature has also been known by previous code names, including Snapshot Viewer, Snapshot Browser and Active Directory data mining tool.

By using the Active Directory database mounting tool, you can examine any changes that are made to data that is stored in Active Directory Domain Services (AD DS). For example, if an object is accidentally modified, you can use the Active Directory database mounting tool to examine the changes and help you better decide how to correct them if necessary.

What does the Active Directory database mounting tool do?

Although the Active Directory database mounting tool does not recover deleted objects by itself, it helps streamline the process for recovering objects that have been accidentally deleted. Before the Windows Server® 2008 operating system, when objects or organizational units (OUs) were accidentally deleted, the only way to determine exactly which objects were deleted was to restore data from backups. This approach had two drawbacks:

  • Active Directory had to be restarted in Directory Services Restore Mode to perform an authoritative restore.

  • An administrator could not compare data in backups that were taken at different points in time (unless the backups were restored to various domain controllers, a process which is not feasible).

The purpose of the Active Directory database mounting tool is to expose AD DS data that is stored in snapshots or backups online. Administrators can then compare data in snapshots or backups that are taken at different points in time, which in turn helps them to make better decisions about which data to restore, without incurring service downtime.

Who will be interested in this feature?

The following individuals should review this information about the Active Directory database mounting tool:

  • Information technology (IT) planners and analysts who are technically evaluating the product

  • Enterprise IT planners and designers for organizations

  • Administrators, operators, and managers who are responsible for IT operations, including recovery of deleted AD DS data

Are there any special considerations?

There are two aspects to the problem of recovering deleted data:

  • Preserving deleted data so that it can be recovered

  • Actually recovering deleted data when it is required

The Active Directory database mounting tool makes it possible for deleted AD DS or Active Directory Lightweight Directory Services (AD LDS) data to be preserved in the form of snapshots of AD DS that are taken by the Volume Shadow Copy Service (VSS). The tool does not actually recover the deleted objects and containers. The administrator must perform data recovery as a subsequent step.

You can use a Lightweight Directory Access Protocol (LDAP) tool such as Ldp.exe, which is a tool that is built into Windows Server 2008, to view the data that is exposed in the snapshots. This data is read-only data. By default, only members of the Domain Admins and Enterprise Admins groups are allowed to view the snapshots because they contain sensitive AD DS data.

Safeguard the AD DS snapshots from unauthorized access just as you protect backups of AD DS. A malicious user who has access to the snapshots can use them to reveal sensitive data that might be stored in AD DS. For example, a malicious user might copy AD DS snapshots from forest A to forest B, and then use Domain Admin or Enterprise Admin credentials from forest B to examine the data. Use encryption or other data security precautions with AD DS snapshots to help mitigate the chance of unauthorized access to AD DS snapshots.

How should I prepare to deploy this feature?

The process for using the Active Directory database mounting tool includes the following steps:

  1. Although it is not a requirement, you can schedule a task that regularly runs Ntdsutil.exe to take snapshots of the volume that contains the AD DS database.

  2. Run Ntdsutil.exe to list the snapshots that are available, and mount the snapshot that you want to view.

  3. Run Dsamain.exe to expose the snapshot volume as an LDAP server.

    Dsamain.exe takes the following arguments:

    • AD DS database (Ntds.dit) path. By default this path is opened as read-only, but it must be ASCII.

    • Log path. This can be a temporary path, but you must have write access.

    • Four port numbers for LDAP, LDAP-SSL, Global Catalog, and Global Catalog–SSL. Only the LDAP port is required. If the other ports are not specified, they use LDAP+1, LDAP+2, and LDAP+3, respectively. For example, if you specify LDAP port 41389 without specifying other port values, the LDAP-SSL port uses port 41390 by default, and so on.

    To stop Dsamain, press CTRL+C in the Command Prompt window or, if you are running the command remotely, set the stopservice attribute on the rootDSE object.

  4. Run and attach Ldp.exe to the snapshot’s LDAP port that you specified when you exposed the snapshot as an LDAP server in the previous step.

  5. Browse the snapshot just as you would with any live domain controller.

If you have some idea which OU or objects were deleted, you can look up the deleted objects in the snapshots and record the attributes and back-links that belonged to the deleted objects. Reanimate these objects by using the tombstone reanimation feature. Then, manually repopulate these objects with the stripped attributes and back-links as identified in the snapshots.

Although you must manually recreate the stripped attributes and back links, the Active Directory database mounting tool makes it possible for you to recreate deleted objects and their back-links without restarting the domain controller in Directory Services Restore Mode. You can also use the tool to look up aspects of previous configurations of AD DS as well, such as permissions that were in effect.