Snapshots represent differences between a volume's current content and its state at the moment of their creation. Although ultimately the size of a snapshot depends on how dynamic the environment is and how long you decide to keep them active, due to their nature, snapshots are typically small andd can be initiated in the matter of seconds. To provide meaningful information, they must be paired up with the volume from which they originated. In addition, since they are based on the copy-on-write principle, they result in increased number of disk I/O operations, which might have negative impact on overall performance. It is also important to realize that snapshot can not be used for direct restore of Active Directory objects. Their main appeal comes from an ability to easily generate and view Active Directory state at arbitrarily chosen intervals. In effect, they offer a convenient way to determine when a particular object has been modifed. This helps you identify a backup set most suitable for the restore and delivers extra auditing and change tracking benefits. For the same reason, they significantly simplify extracting any pertinent historical information that can be subsequently imported to an object recovered via tombstone reanimation or used to reverse undesired modifications.
Snapshots are generated using the ntdsutil command line utility launched either directly from the console or a Terminal Services sesssion of a Windows Server 2008-based domain controller. Once you are at the ntdsutil: prompt, Activate Instance NTDS. You also have an option of pointing to an AD LDS instance by specifying its name instead of NTDS value). Next, switch to the snapshot context by typing snapshot and follow by create command. Shortly thereafter you should receive a notification stating that the snapshot set has been generated successfully. The message includes its unique GUID. To confirm, you can execute list all from within the same context, which should provide the listing of all active snapshots (including the date and time they were created). Note that the same can be accomplished running the following from the command prompt, which comes handy when automating snapshot generation as a scheduled task:
ntdsutil "Activate Instance NTDS" snapshot create quit quit
Any active snapshots must be mounted before you can access it via DSAMAIN.EXE. This is done by invoking the mount command followed by either an integer assigned to each snapshot (which can be determined by running list all) or its GUID, resulting in the creation of a junction point, with the name generated by concatenating the word $SNAP, date and time (in military format) when snapshot was generated and the target volume (e.g., $SNAP_200808082008_VOLUMEC$). That, in turn (as we explained in our previous article), determines the full path to the Active Directory NTDS.DIT file. This, in turn, becomes $SNAP_200808082008_VOLUMEC$\Windows\NTDS\NTDS.DIT, assuming default placement of database and log files, and it gets associated with the -dbpath switch when running the Database Mounting Tool.
After you complete browsing through the mounted NTDS instance and terminate the DSAMAIN.EXE, unmount the snapshot by calling unmount command followed, as before, by either its integer identifier or its GUID. Removal of snapshots that are no longer needed can be accomplished with the delete command. For the full overview of snapshot syntax, refer to Windows Server 2008 Technical Library.
Third-Party Offerings
Although snapshots significantly simplify handling unintended deletions or modifications of Active Directory objects (for the reasons we described earlier), the actual recovery still requires multiple steps, which might include rather involved tombstone reanimation and restoring its attributes. Fortunately, a variety of free third-party offerings can further streamline the restore process. Some of the more notable ones are listed below.
Snapshot Recovery Tool from 1Identity - available as a free download containing the command line-based oirecmgr.exe utility, it provides ability to recover an object and restore its attributes from an LDAP instance loaded via Database Mounting Tool to an arbitrary Windows Server 2008 domain controller. It is also capable of reanimating tombstones in both Windows Server 2003 and 2008 Active Directory environments. Note, however, that this option precludes simultaneous attribute recovery.
Although it has a dependency on .NET Framework 2.0, it can be executed remotely from a system running Windows XP Professional or Vista. Its command line syntax allows you to restore arbitrary number of objects, either by specifying their GUIDs via multiple -o switches or by storing them in a text file, which name gets assigned to the -of switch) as well as attributes (in a comma-separated format. For example, the following command (executed directly from the console of a domain controller USDC-NYC001) would reanimate deleted user object with GUID of 7abadaba-daba-d000-0d15-c015dead and restore its attributes, populating both forward and back links, such as user's group membership, by extracting relevant information from an Active Directory snapshot accessible via port 33389. Reanimating tombstoned user accounts does not reinstate their passwords, which will need to be reset before you enable them since, by default, they are disabled following the restore:
oirecmgr.exe -o 7abadaba-daba-d000-0d15-c015dead -sh USDC-NYC001:33389 -ol -real
* Directory Service Comparison Tool is supposed to provide similar functionality but via a graphical interface in the form of a Microsoft Management Console snap-in, which becomes available once you install freely downloadable setup program. This is available in both x86 and x64 versions. To configure it, select Datasource Settings... entry from the context sensitive menu of its node in the tree pane. In the resulting Datasource Settings dialog box, specify the name of a target domain controller and a server hosting a snapshot (or another VSS compliant restore) mounted using DSAMAIN.EXE, along with their LDAP ports, as well as the naming context you intend to compare. The pane window of the console is divided into three tabs, intended for the list of modifications, additions and deletions (respectively) that took place since the DSA-mounted LDAP directory services store has been created. Unfortunately, the tool's functionality is somewhat limited (at least as far as snapshots are concerned), due to a bug affecting highestCommittedUSN value recorded in Active Directory snapshots. Just as Snapshot Recovery Tool, this utility relies on .NET Framework 2.0 being installed, in addition to MMC 3.0, and can be installed on remote Windows XP Professional or Vista system.
* Active Directory Explorer from the Sysinternals team a distinct position in this list since it provides its own capability to create snapshots, independent of the one introduced in Windows Server 2008 Active Directory and supported on all of its versions. Their content can be derived from an online Active Directory environment by connecting to one of its domain controllers or from a restored backup or VSS-compatible snapshot mounted using DSAMAIN.EXE utility. In addition, it is possible to store them for offline viewing in an arbitrary location. The intuitive graphical interface of AD Explorer simplifies browsing their content and includes search and comparison features.
Source: http://www.serverwatch.com/tutorials/article.php/3794191
Snapshots are generated using the ntdsutil command line utility launched either directly from the console or a Terminal Services sesssion of a Windows Server 2008-based domain controller. Once you are at the ntdsutil: prompt, Activate Instance NTDS. You also have an option of pointing to an AD LDS instance by specifying its name instead of NTDS value). Next, switch to the snapshot context by typing snapshot and follow by create command. Shortly thereafter you should receive a notification stating that the snapshot set has been generated successfully. The message includes its unique GUID. To confirm, you can execute list all from within the same context, which should provide the listing of all active snapshots (including the date and time they were created). Note that the same can be accomplished running the following from the command prompt, which comes handy when automating snapshot generation as a scheduled task:
ntdsutil "Activate Instance NTDS" snapshot create quit quit
Any active snapshots must be mounted before you can access it via DSAMAIN.EXE. This is done by invoking the mount command followed by either an integer assigned to each snapshot (which can be determined by running list all) or its GUID, resulting in the creation of a junction point, with the name generated by concatenating the word $SNAP, date and time (in military format) when snapshot was generated and the target volume (e.g., $SNAP_200808082008_VOLUMEC$). That, in turn (as we explained in our previous article), determines the full path to the Active Directory NTDS.DIT file. This, in turn, becomes $SNAP_200808082008_VOLUMEC$\Windows\NTDS\NTDS.DIT, assuming default placement of database and log files, and it gets associated with the -dbpath switch when running the Database Mounting Tool.
After you complete browsing through the mounted NTDS instance and terminate the DSAMAIN.EXE, unmount the snapshot by calling unmount command followed, as before, by either its integer identifier or its GUID. Removal of snapshots that are no longer needed can be accomplished with the delete command. For the full overview of snapshot syntax, refer to Windows Server 2008 Technical Library.
Third-Party Offerings
Although snapshots significantly simplify handling unintended deletions or modifications of Active Directory objects (for the reasons we described earlier), the actual recovery still requires multiple steps, which might include rather involved tombstone reanimation and restoring its attributes. Fortunately, a variety of free third-party offerings can further streamline the restore process. Some of the more notable ones are listed below.
Snapshot Recovery Tool from 1Identity - available as a free download containing the command line-based oirecmgr.exe utility, it provides ability to recover an object and restore its attributes from an LDAP instance loaded via Database Mounting Tool to an arbitrary Windows Server 2008 domain controller. It is also capable of reanimating tombstones in both Windows Server 2003 and 2008 Active Directory environments. Note, however, that this option precludes simultaneous attribute recovery.
Although it has a dependency on .NET Framework 2.0, it can be executed remotely from a system running Windows XP Professional or Vista. Its command line syntax allows you to restore arbitrary number of objects, either by specifying their GUIDs via multiple -o switches or by storing them in a text file, which name gets assigned to the -of switch) as well as attributes (in a comma-separated format. For example, the following command (executed directly from the console of a domain controller USDC-NYC001) would reanimate deleted user object with GUID of 7abadaba-daba-d000-0d15-c015dead and restore its attributes, populating both forward and back links, such as user's group membership, by extracting relevant information from an Active Directory snapshot accessible via port 33389. Reanimating tombstoned user accounts does not reinstate their passwords, which will need to be reset before you enable them since, by default, they are disabled following the restore:
oirecmgr.exe -o 7abadaba-daba-d000-0d15-c015dead -sh USDC-NYC001:33389 -ol -real
* Directory Service Comparison Tool is supposed to provide similar functionality but via a graphical interface in the form of a Microsoft Management Console snap-in, which becomes available once you install freely downloadable setup program. This is available in both x86 and x64 versions. To configure it, select Datasource Settings... entry from the context sensitive menu of its node in the tree pane. In the resulting Datasource Settings dialog box, specify the name of a target domain controller and a server hosting a snapshot (or another VSS compliant restore) mounted using DSAMAIN.EXE, along with their LDAP ports, as well as the naming context you intend to compare. The pane window of the console is divided into three tabs, intended for the list of modifications, additions and deletions (respectively) that took place since the DSA-mounted LDAP directory services store has been created. Unfortunately, the tool's functionality is somewhat limited (at least as far as snapshots are concerned), due to a bug affecting highestCommittedUSN value recorded in Active Directory snapshots. Just as Snapshot Recovery Tool, this utility relies on .NET Framework 2.0 being installed, in addition to MMC 3.0, and can be installed on remote Windows XP Professional or Vista system.
* Active Directory Explorer from the Sysinternals team a distinct position in this list since it provides its own capability to create snapshots, independent of the one introduced in Windows Server 2008 Active Directory and supported on all of its versions. Their content can be derived from an online Active Directory environment by connecting to one of its domain controllers or from a restored backup or VSS-compatible snapshot mounted using DSAMAIN.EXE utility. In addition, it is possible to store them for offline viewing in an arbitrary location. The intuitive graphical interface of AD Explorer simplifies browsing their content and includes search and comparison features.
Source: http://www.serverwatch.com/tutorials/article.php/3794191
1 comment:
This is one...brilliant
Great information and excellent info about Directory,you got here! I would like to thank you for sharing your thoughts and time into the stuff you Article- Keep it up
Directory Submission Services
Post a Comment