Create a Snapshot of AD DS by using NTDSUTIL in Windows Server 2016

By | 03/04/2018

what’s snapshot and what’s NTDSUTIL?

Manages snapshots of the volumes that contain the Active Directory database and log files, which you can view on a domain controller without starting in Directory Services Restore Mode (DSRM). You can also run the snapshot subcommand on an Active Directory Lightweight Directory Services (AD LDS) server.

In the command-line tool Ntdsutil.exe, you can use the snapshot subcommand to manage the snapshots, but you must use Dsamain.exe to expose the snapshot as a Lightweight Directory Access Protocol (LDAP) server.

NTDSUtil in Windows Server 2016 can create and mount snapshots of AD DS.

A snapshot is a form of historical backup that captures the exact state of the directory service at the time of the snapshot.

You can use tools to explore the contents of a snapshot to examine the state of the directory service at the time the snapshot was made, or connect to a mounted snapshot with LDIFDE and export a reimport objects into AD DS.

For this short easy Demo, I use my server.

Lets get started,

1 – On the Domain server, which is my, open command prompt and type ntdsutil and press enter.


2 – Next, type snapshot and press enter.


3 – Next, type activate instance ntds and press Enter.


4 – Next, type create (this create command is to generate a snapshot of my AD) and press Enter.

Screenshot (8).png

5 – Next, make sure you copy the copy the GUID somewhere (highlight the GUID and then copy).


6 – Next, type quit 2 times to exit from snapshot.

Screenshot (9).png

7 – Now, lets make some change to my ADDS by deleting 1 of my AD user, for this Demo, I choose my user from Sales Department. (Refer to my Picture)

101112Once you Deleted the user, you need to mount an Active Directory snapshot, and create a new instance so that later we can retrieve back the Deleted user.

8 – in CMD, type ntdsutil, then snapshot, then type activate instance ntds, then type list all (Refer to my Picture).

Screenshot (13).png

9 – Next, you need to mount GUID no (please refer to my screen shot), type mount <GUID> no and press enter.

Screenshot (15).png

10 – once successful, exit the process by typing quit 2 times.

Screenshot (17).png

11 – Next, on the CMD, type dsamain /dbpath C:\$SNAP_datetime_volumec$\windows\ntds\ntds.dit /ldapport 50000

~*~ be aware that datetime will be a unique value. There only should be one folder on your C:\ drive with a name that begins with $snap. ~*~

Screenshot (18).png

12 – Leave Dsamain.exe running, and do not close the CMD.

~*~ A message indicates that Active Directory Domain Services startup is complete ~*~

Screenshot (20).png

13 – Next, lets explore a snapshot with Active Directory Users and Computers, on the ADUC, right click and click Change Domain Controller.

Screenshot (21).png

14 – type DC-CLOUD:50000 on the <Type a Directory Server name[:port] here>, then click OK.

Screenshot (22).png

15 – Next, browse to Sales OU and you will notice that our Deleted user is now back online.

Screenshot (23).png

16 – our last step is to unmount an Active Directory snapshot.

on the command prompt, press CTRL+C to stop DSAMain.exe.

Screenshot (24).png

17 – then wrap up the whole process, on the CMD, type :

activate instance ntds
list all
unmount guid (guid is the GUID of the snapshot)
list all

Screenshot (27).png

that’s all for now.

Leave a Reply

Your email address will not be published. Required fields are marked *