Manages snapshots of the volumes that contain the Active Directory database and log files, which you can view on a domain controller without starting in Directory Services Restore Mode. You can also run the snapshot subcommand on an Active Directory Lightweight Directory Services (AD LDS) server.
In the command-line tool Ntdsutil.exe, you can use the snapshot subcommand to manage the snapshots, but you must use Dsamain.exe to expose the snapshot as a Lightweight Directory Access Protocol (LDAP) server. For more information about using Dsamain, see Dsamain.
Ntdsutil is built into Windows Server 2008, and it is available if you have the Active Directory Domain Services (AD DS) or AD LDS server role installed. To use Ntdsutil, you must run the ntdsutil command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
For examples of how to use this command, see Examples.
Syntax
activate instance %s [create] [delete %s] [unmount %s] [list all] [list mounted ] [mount %s] [quit]
Parameters
| Parameter | Description |
|---|---|
|
activate instance %s |
Sets an active instance for the command. You can either specify "ntds" to set AD DS as the active instance or you can specify the name of an AD LDS instance. |
|
create |
Creates a snapshot. |
|
delete %s |
Deletes a snapshot with globally unique identifier (GUID) %s. Use * to delete all snapshots. |
|
list all |
Lists all mounted snapshots. You can run this command to obtain an index number for a mounted snapshot. You can then use the index number, instead of a GUID, to mount or unmount a snapshot. |
|
list mounted |
Lists mounted snapshots. You can run this command to obtain an index number for a mounted snapshot. You can then use the index number instead of a GUID to mount or unmount a snapshot. |
|
mount %s |
Mounts a snapshot with GUID %s. You can refer to an index number of any mounted snapshot instead of its GUID. |
|
unmount %s |
Unmounts a snapshot with GUID %s. Use * to unmount all mounted snapshots. |
|
quit |
Returns to the prior menu. |
|
Help |
Displays Help for this command. |
|
? |
Displays Help for this command. |
Remarks
- Before you can run the snapshot subcommand, you must run
the activate instance subcommand in Ntdsutil to set an
active instance. For examples of how to set an active instance, see
Examples.
- You are not required to run the snapshot subcommand to
use Dsamain.exe. Instead, you can use a backup of the AD DS or
AD LDS database or another domain controller or AD LDS
server. Running the snapshot subcommand simply provides
convenient data input for Dsamain.exe.
- You should protect snapshots in a manner that is similar to how
you protect domain controller backups. For example, use encryption
or other data security precautions with AD DS snapshots to
help mitigate the chance of unauthorized access to them.
- When you use Dsamain.exe to expose the data that is contained
in a snapshot:
- All permissions that apply to the data in the snapshot are
enforced.
- By default, only members of the Domain Admins group and the
Enterprise Admins group are allowed to view a snapshot because it
can contain sensitive AD DS data.
- All permissions that apply to the data in the snapshot are
enforced.
Examples
The following example sets NTDS as the active instance:
ntdsutil: activate instance ntds
The following example is another way to set NTDS as the active instance:
ntdsutil: ac in ntds
The following example mounts a snapshot that has the GUID 8ec8ff74-c0d7-435a-b6b1-54ef185926be:
snapshot: mount {8ec8ff74-c0d7-435a-b6b1-54ef185926be}
The following example unmounts the same snapshot:
snapshot: unmount {8ec8ff74-c0d7-435a-b6b1-54ef185926be}
The following example lists the mounted snapshots:
snapshot: list mounted