Exposes Active Directory data that is stored in a snapshot or backup as a Lightweight Directory Access Protocol (LDAP) server.

Dsamain.exe is a command-line tool that is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) server role installed. To use Dsamain, you must run the dsamain command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

For examples of how to use this command, see Examples.


dsamain /dbpath <filepath> [/logpath <path>] [/adlds] /ldapPort <number> [/sslPort <number>] [/gcport <number>] [/gcSslport <number>] [/allowUpgrade] [/allowNonAdminAccess]


Parameter Description

/dbpath <filepath>

Specifies the file path to the database file. <filepath> must point to the database file, which might be on read-only media, such as a mounted snapshot; in a backup; or on another server, such as a domain controller or an AD LDS server. The database must be in a consistent state; that is, the Extensible Storage Engine (ESE) logs must be replayed. If you run the Ntdsutil snapshot subcommand or if you run Windows Server Backup on a server running Windows Server 2008, the resulting snapshot or backup will be in a consistent state.


A snapshot is a shadow copy of the volumes that contain the Active Directory database and log files. A snapshot is created by the Volume Shadow Copy Service (VSS).


Displays Help for this command.


Displays Help for this command.

Remarks <optional section>

  • For the dbpath parameter, you must specify a mounted snapshot or a backup that you want to view along with the complete path to the Ntds.dit file, for example:

    /dbpath E:\$SNAP_200704181137_VOLUMED$\WINDOWS\NTDS\ntds.dit
  • Only the LDAP port is required. If you do not specify the other ports, they use LDAP+1, LDAP+2, and LDAP+3, respectively. For example, if you specify LDAP port 41389 without specifying other port values, the LDAP-SSL port uses port 41390 by default, and so on.

  • You cannot specify ports that are currently in use. If you run the command on a domain controller, specify different ports than those that are used by the local domain controller, for example::

    dsamain /dbpath <filepath> /ldapport 51389 /sslport 51636 /gcport 53268 /gcsslport 53269
  • Include a space between the name of the parameter and the value that you specify.

  • All permissions that apply to the data in the snapshot or backup are enforced when you view the data.

  • By default, Dsamain allows only members of the Domain Admins and Enterprise Admins groups to view the sensitive data that can be contained in snapshots and backups.


The following example exposes the data in a snapshot $SNAP_200704181137 as an LDAP server, using LDAP port 51389:

E:\$SNAP_200704181137_VOLUMED$\WINDOWS\NTDS\ntds.dit /ldapport 51389

Additional references