Restoring Active Directory Attributes with PowerShell - Part 1

Active Directory Recycle Bin. Great Feature. But what happens if instead of deleting the object, some of the attributes are misconfigured? Enter Active Directory snapshot.

In the first article of the Restoring Active Directory Attributes with PowerShell we are going to talk about Active Directory snapshots and later on we are going to see how to restore attributes on objects.

So, what is an Active Directory snapshot? It's actually an VSS snapshot of the volume that the Active Directory database resides on. And how can we use that snapshot? We can use it as a backup, a way to avoid full replication when installing a Domain Controller on a remote site and may other ways but we are going to focus on mounting it and using dsamain in order to load the database and access live.

Let's see some examples on how to create such a snapshot. Of course, you need to have the appropriate rights, like domain or forest administrator. To create a snapshot, we are going to use the ntdsutil executable just like in the following screenshot:

On a command prompt window we type "ntdsutil" and then "activate instance ntds" followed by "snapshot" in order to get to the snapshot menu and finally "create" to create a snapshot.

To list all the snapshots, we can use the "list all" command when in snapshot menu:

To mount a snapshot in order to access the files you can use "mount" followed by the number or the id of the snapshot:

The first snapshot is now mounted and accessible under "C:\$SNAP_201706171142_VolumeC$\".

Now that we have a mounted snapshot, let's load the Active Directory database and access it. To load the database we are going to need the full path to the file. To construct that path, we are going to use the path that the snapshot is mounted and the relative path of the database file on the drive. Then we are going to use the dsamain executable to load it. On my domain controller, that path would be "C:\$SNAP_201706171142_VOLUMEC$\Windows\NTDS\ntds.dit"

Let's load the database by executing
"dsamain /dbpath "C:\$SNAP_201706171142_VOLUMEC$\Windows\NTDS\ntds.dit" /ldapport 33389" on an new command prompt:

Now that the database is loaded, we are going to connect to port 33389 and access it using LDP.exe:

At this point we are going to assume that our work is completed and we will start to clean up.

First, close the ldp window and then close the dsamain window in order to unload the database. Then we have to unmount the database snapshot using the "unmount" command in the ntdsutil snapshot menu with the id of the mounted snapshot.

In case you want to remove the snapshot, all you have to do is to use the "delete" command followed by the number or the id of the snapshot.

If you say this is a bit complicated and it would be difficult to restore the attributes on a object, I couldn't agree more! On the next article, we are going to use a Powershell module I've created that will make our lives more easier!

Popular posts from this blog

Domain Controller Machine Password Reset

Configuring a Certificate on Exchange Receive Connector

Running Multiple NGINX Ingress Controllers in AKS