Well, the other day I saw this in an official Microsoft doc and it had to be tested. It refers to being able to take snapshots of our Active Directory, for the simple fact of taking it to another computer and performing some tests with LDAP tools for example, or to see how our Active Directory was doing at any given time, in case we have to do an authoritative AD restore and we don't know what an object or container is called (http://www.bujarra.com/?p=1593), or to use with ADrestore to find out what a Tombstone is called (http://www.bujarra.com/?p=1567)… In any case, it is not advisable to have many snapshots that are not going to be used due to loss of performance.

To make a snapshot of Active Directory, first from a DOS console, Run: “Ntdsutil”

Inside ntdsutil, Run “snapshot”

The first thing is to activate the NTDS instance to indicate that it will be a snapshot of our Active Directory, so we type: “activate instance ntds”

Now we create the snapshot with the command: “Create”

… We wait a few seconds while the instance is created…

OK, Instance created, we can exit with “q” or “Quit”.

With the parameter “list all” we can see all the snapshots we have created in our AD, all of this within “Ntdsutil” > “snapshot”.

With the parameter “delete NUMBER” we can delete a snapshot that we no longer need, all of this within “Ntdsutil” > “snapshot”.

What are these snapshots for? Not bad, we can mount a snapshot and access the data from our old Active Directory, nos montará todo su contenido en un directorio de nuestro C: con ello podremos acceder al antiguo NTDS. DIT o lo que necesitemos. Montamos un snapshot con el comando “mount NÚMERO” (inside “Ntdsutil” > “snapshot”).

Vemos que nos monta la instantánea en un directorio en concreto C:$SNAP_AAAAMMDDHHMM_VOLUMEX$ podemos comprobar el contenido si nos interesa.

Pero lo ideal es usar el comando DSAMAIN para hacer más o menos un ‘servidor LDAP’ 🙂 El comando sería: dsamain -dbpath PATH_DEL_SNAPSHOTDIRECTORIO_NTDSNTDS. DIT -ldapport NÚMERO_PUERTO. Este NÚMERO_PUERTO será el puerto tcp que permitirá conexiones entrantes a nuestra base de datos del Directorio Activo. Apart from, DSAMAIN abre los siguientes puertos para poder usarlos además:

LDAPS (LDAP sobre SSL): NÚMERO_PUERTO + 1.
GC (Global Catalog): NÚMERO_PUERTO + 2.
GCS (Global Catalog on SSL): NÚMERO_PUERTO + 3.

The thing is that DSAMAIN stays listening for requests on any of those ports to connect to that AD snapshot.

We can use any console to connect to this snapshot, For example, if we open the console of “Active Directory Users and Teams” and right-click “Change the domain controller…”

If we check the option “This writable domain controller”, we will be able to enter the address we want to connect to, For example: localhost:NÚMERO_PUERTO. & “Accept”,

In this image, you can see the same console connected to the current Active Directory and the other to the snapshot, seeing the differences, for example, if we want to know what properties were configured for the user 'dos'’ or to restore them with ADrestore…