If you’ve played around with Windows Server 2008 Active Directory Domain Services, you will probably be familiar with the snapshot feature within NTDSUTIL. The feature allows you to take snapshot of the volumes that host the AD components and to then mount the snapshot. Once mounted, you can use DSAMAIN.EXE to expose a read-only copy of the AD database to your favourite browsing tool (LDP.EXE, ADSIEDIT.MSC, DSA.MSC, ADFIND.EXE, etc.). The process for doing this is well documented elsewhere, so I don’t intend to reproduce it here.
Microsoft recommends that you schedule regular snapshots, as this provides you with a quick method of checking the contents of the directory at different time slices in the past. One advantage of this that you can quickly identify which backup to use when needing to authoritatively restore accidentally deleted AD objects from backup.
What isn’t quite so well documented it the process to schedule regular snapshots. It took me a little while to configure this properly, so I thought I would share it with you here.
Windows Server 2008 comes with a re-vamped Task Scheduler. You can configure tasks using both the UI as well as the command line (schtasks.exe). I prefer to use the command line as it has the advantage of allowing you to set tasks to run under the SYSTEM account. It is also the only option if you are using Server Core, unless you want to open the firewall to allow remote task scheduling from a computer running the full version.
Here’s the command line I use. Note that it’s all on one line – wrapped here to fit page
SCHTASKS /Create /RU SYSTEM /SC DAILY /TN MYTASKS\DS_SNAPSHOT /TR "%windir%\system32\ntdsutil.exe sn \"ac i ntds\" create q q" /ST 05:00
It is worth pulling the command arguments apart to explain them better:
/Create – pretty obvious. It instructs schtasks to create a new task.
/RU SYSTEM – the task will run under the SYSTEM account. Note that you don’t need to specify a password when using SYSTEM.
/SC DAILY- the task will run daily
/TN MYTASKS\DS_SNAPSHOT – I’ve called the task name DS_SNAPSHOT and this will be created within the MYTASKS task folder. The folder will be created automatically if it does not already exist.
/TR “%windir%\system32\ntdsutil.exe sn \”ac i ntds\” create q q” – This is the task action. It runs NTDSUTIL with arguments. Note that the double quotation marks within the arguments have to be escaped with the backslash character
/ST
The command line shown above assumes that you are working on the local machine on which you want to create the task. If defining the task for a remote computer, use the additional command line options shown below.
SCHTASKS /Create /s MYSERVER /U administrator /P xxxxx /RU SYSTEM /SC DAILY /TN MYTASKS\DS_SNAPSHOT /TR "%windir%\system32\ntdsutil.exe sn \"ac i ntds\" create q q" /ST 05:00
Once you’ve run the command you can verify the settings in the Task Scheduler UI.
If you’re feeling brave you can also have a look at scripting the task creation, as described here.
Really speaking this is the very good explanation. I was facing some problem about Active directory services and snapshot feature within NTDSUTIL. So i come to know about that fro this article.
Thanks for providing good information
This is a great tip — thank you for sharing this!
Have you tried using Dynamic AD Replication Checker Tool which not only checks replication status but also provides columns for troubleshooting.
More at http://www.Dynamic-SpotAction.com
Dynamic AD Replication Checker Tool Version 2.0 has been released at http://www.Dynamic-SpotAction.com.
Fixed a number of bugs reported by the users. Thanks Users!
New Features supported in Version 2.0:
Ø Monitor AD Replication based on schedules
Ø Check and troubleshoot Replication issues for all or individual Domain Controllers
Ø Check Orphaned Domain Controllers, if any
Ø Individual Naming Context Replication Status
Ø Easy navigation of Objects in Objects Pane
Ø Execute Individual Columns
Ø Populate Instance Groups in Object Pane
Ø Add Site/DC Manually
Ø Save Session in local database
Ø Switch to Monitoring and Console Version at any time
Ø Check Error or Warning Events on Domain controllers
Ø Perform DNS Test, check SOA, NA, and Forwarders
Ø DC Event Log Tests
Ø DC Patch Status
Ø Network Configuration on the Destination Domain Controllers
Ø Easily check Status of Domain Controller Services
Ø Check AD Pending Replication Jobs and Naming Contexts in Sync
Ø 164 Dynamic Columns for Server Object available
Thanks!