AD DS: Database Mounting Tool (Snapshot Viewer or Snapshot Browser)

With Windows 2008 Microsoft introduce a new tool called Active Directory database mounting tool (Dsamain.exe) This was referred as Snapshot viewer and Active Directory data mining tool during the early release of the Windows 2008. The cool thing about this tool is you can take snapshots of your AD database and view it offline.

As for Microsoft explanation this is really helpful in Forest recovery and AD auditing purpose. In the case of AD objects deletion you can load a snapshot and compare your current AD alone with it.

Before the Windows Server 2008 operating system, when objects or organizational units (OUs) were accidentally deleted, the only way to determine exactly which objects were deleted was to restore data from backups. This pain behind this is:

  • Active Directory had to be restarted in Directory Services Restore Mode to perform an authoritative restore.
  • An administrator could not compare data in backups that were taken at different points in time (unless the backups were restored to various domain controllers, a process which is not feasible).

but one thing to notice is this is not a method to recover deleted objects but merely a method to show to you what has happened by doing a comparison. Apart from that you’ll need to be a member of the Enterprise admins or domain admins group, or else given particular rights for a user account.

Now getting back to the actions, to get snapshot, mount them and view them you need to know about 3 tools,

1. NTDSUTIL – Create, delete, mount, list the snapshot.

2. Dsamain.exe – This will allow us to expose snapshot to LDAP servers.

3. LDP or Active Directory Users and Computers MMC to view the mounted snapshot.

So the steps going to be as follows,

1.    Manually or automatically create a snapshot of your AD DS or AD LDS database.
2.    Mount the snapshot.
3.    Expose the snapshot as an LDAP server.
4.    Connect to the snapshot.
5.    View data in the snapshot.

Manually creating the snapshot of the AD DS

1. Logon to a Windows Server 2008 domain controller.
2. Click Start, and then click Command Prompt.
3. In the Command Prompt window, type ntdsutil, and then hit Enter.
4. At the ntdsutil prompt, type snapshot, and then hit Enter.
5. At the snapshot prompt, type activate instance NTDS, and then hit Enter.
6. At the snapshot prompt, type create, and then hit Enter.
7. Note down the GUID return by the command.

1-28-2010 11-05-13 AM 1-28-2010 11-07-43 AM

1-28-2010 11-08-27 AM

Mount the snapshot

1. If you didn’t close the previous window just go for it again and type list all and press enter.
2. Once you get the list of the snapshots you can select a snapshot to mount. In this scenario type mount 2 and press enter.
3. If the mounting was successful, you will see Snapshot {GUID} mounted as PATH, where {GUID} is the GUID that corresponds to the snapshot, and PATH is the path where the snapshot was mounted.
4. Note down the path

1-28-2010 11-11-35 AM 1-28-2010 11-13-14 AM

1-28-2010 11-13-23 AM

Expose the snapshot as an LDAP server

Ok so far we manage to create a snapshot and mount it. Now we need to expose the snapshot so we can view it from LDP utility or by using ADUC mmc. In this scenario we’re going to use the second utility (Active Directory Users and Computers)

1. Open a new command prompt

2. In the Command Prompt window, type dsamain /dbpath C:\$SNAP_201001281107_VOLUMEC$\WINDOWS\NTDS\ntds.dit /ldapport 51389 (instead of using the default 389 port we’re using a alternative port the snapshot to minimize any conflicts with the live AD DS)
note: “C:\$SNAP_201001281107_VOLUMEC$” is the path we got few steps before and represent the snapshot mounted path in our system.

3. "Microsoft Active Directory Domain Services startup complete" will appear in the Command Prompt window after running the above command. This means the snapshot is exposed as an LDAP server, and you can proceed to access data on it. NOTE: Do not close the Command Prompt window or the snapshot will no longer be exposed as an LDAP server. 

1-28-2010 11-31-58 AM 1-28-2010 11-32-11 AM

Connect to the snapshot

We can use any utility which can read the LDAP data. In this demonstration as I mention earlier I’ll go ahead and use the Active directory Users and Computers snappin.

1. Open the ADUC.
2. Right click the ADCU and select “Change domain controller” option.
3. Type the domain name with the custom port number eg “CONTOSO-DC:51389”
4. Now you’re looking at the data in the snapshot. Go ahead and open a another ADCU window and that will open the current AD DS.
5. Go ahead and do a change on the live AD DS and then check the 2 MMC’s again. You’ll see the snapshot data is not getting changed.

1-28-2010 11-32-42 AM 1-28-2010 11-33-03 AM

1-28-2010 11-34-11 AM

So as I mention this is really cool feature and saves lot of time. If you don’t like creating snapshots manually you can create a schedule task and automate this to create snapshot automatically. Once concern is these snapshot are not encrypted so if this gets to wrong hand it is bad for you guys. So try to keep them in a safe location and try to encrypt them for added security.

Giving attention to good old redirusr and redircmp commands

I’ve been meddling with some GPO issues and then came across these 2 commands. These commands has been the with Windows 2000 and 2003. So what bring my attention to these commands is how can you use them to comply with Security auditing. More information about how to use this commands can be found over here.

Well first we’ll take an example about an Enterprise company. Most of the time AD admin will get a mail or a request from HR or from a relevant department requesting to create a new user account. Once you get that request you’ll create those user accounts and by default they will be going to the Users section in ADUC. Due to your busy schedule you’ll forget to transfer the relevant user account to the correct OU. Event though this will be a matter of few hours or few days delay moving the account to relevant OU in computer security wise big risk!

One way I can think of eliminating or minimizing is whenever you create new user account or new computer added to the domain they will be moved to a different OU which have unique GPO’s assign to them. So in that particular GPO you can edit the security setting which will comply with the company IT security policy and give minimal user rights until user account moved to correct OU 🙂

In a nutshell this will be seen as a simple thing but overall compared to IT security a big step. So go ahead roll your sleeves and give it a try in your company network and be safe!

AD DS: Database Mounting Tool (Snapshot Viewer or Snapshot Browser)

With Windows 2008 Microsoft introduce a new tool called Active Directory database mounting tool (Dsamain.exe) This was referred as Snapshot viewer and Active Directory data mining tool during the early release of the Windows 2008. The cool thing about this tool is you can take snapshots of your AD database and view it offline.

As for Microsoft explanation this is really helpful in Forest recovery and AD auditing purpose. In the case of AD objects deletion you can load a snapshot and compare your current AD alone with it.

Before the Windows Server 2008 operating system, when objects or organizational units (OUs) were accidentally deleted, the only way to determine exactly which objects were deleted was to restore data from backups. This pain behind this is:

  • Active Directory had to be restarted in Directory Services Restore Mode to perform an authoritative restore.
  • An administrator could not compare data in backups that were taken at different points in time (unless the backups were restored to various domain controllers, a process which is not feasible).

but one thing to notice is this is not a method to recover deleted objects but merely a method to show to you what has happened by doing a comparison. Apart from that you’ll need to be a member of the Enterprise admins or domain admins group, or else given particular rights for a user account.

Now getting back to the actions, to get snapshot, mount them and view them you need to know about 3 tools,

1. NTDSUTIL – Create, delete, mount, list the snapshot.

2. Dsamain.exe – This will allow us to expose snapshot to LDAP servers.

3. LDP or Active Directory Users and Computers MMC to view the mounted snapshot.

So the steps going to be as follows,

1.    Manually or automatically create a snapshot of your AD DS or AD LDS database.
2.    Mount the snapshot.
3.    Expose the snapshot as an LDAP server.
4.    Connect to the snapshot.
5.    View data in the snapshot.

 

Manually creating the snapshot of the AD DS

1. Logon to a Windows Server 2008 domain controller.
2. Click Start, and then click Command Prompt.
3. In the Command Prompt window, type ntdsutil, and then hit Enter.
4. At the ntdsutil prompt, type snapshot, and then hit Enter.
5. At the snapshot prompt, type activate instance NTDS, and then hit Enter.
6. At the snapshot prompt, type create, and then hit Enter.
7. Note down the GUID return by the command.

1-28-2010 11-05-13 AM 1-28-2010 11-07-43 AM

1-28-2010 11-08-27 AM

Mount the snapshot

1. If you didn’t close the previous window just go for it again and type list all and press enter.
2. Once you get the list of the snapshots you can select a snapshot to mount. In this scenario type mount 2 and press enter.
3. If the mounting was successful, you will see Snapshot {GUID} mounted as PATH, where {GUID} is the GUID that corresponds to the snapshot, and PATH is the path where the snapshot was mounted.
4. Note down the path

1-28-2010 11-11-35 AM 1-28-2010 11-13-14 AM

1-28-2010 11-13-23 AM

Expose the snapshot as an LDAP server

Ok so far we manage to create a snapshot and mount it. Now we need to expose the snapshot so we can view it from LDP utility or by using ADUC mmc. In this scenario we’re going to use the second utility (Active Directory Users and Computers)

1. Open a new command prompt

2. In the Command Prompt window, type dsamain /dbpath C:\$SNAP_201001281107_VOLUMEC$\WINDOWS\NTDS\ntds.dit /ldapport 51389 (instead of using the default 389 port we’re using a alternative port the snapshot to minimize any conflicts with the live AD DS)
note: “C:\$SNAP_201001281107_VOLUMEC$” is the path we got few steps before and represent the snapshot mounted path in our system.

3. "Microsoft Active Directory Domain Services startup complete" will appear in the Command Prompt window after running the above command. This means the snapshot is exposed as an LDAP server, and you can proceed to access data on it. NOTE: Do not close the Command Prompt window or the snapshot will no longer be exposed as an LDAP server. 

1-28-2010 11-31-58 AM 1-28-2010 11-32-11 AM

Connect to the snapshot

We can use any utility which can read the LDAP data. In this demonstration as I mention earlier I’ll go ahead and use the Active directory Users and Computers snappin.

1. Open the ADUC.
2. Right click the ADCU and select “Change domain controller” option.
3. Type the domain name with the custom port number eg “CONTOSO-DC:51389”
4. Now you’re looking at the data in the snapshot. Go ahead and open a another ADCU window and that will open the current AD DS.
5. Go ahead and do a change on the live AD DS and then check the 2 MMC’s again. You’ll see the snapshot data is not getting changed.

1-28-2010 11-32-42 AM 1-28-2010 11-33-03 AM

1-28-2010 11-34-11 AM

So as I mention this is really cool feature and saves lot of time. If you don’t like creating snapshots manually you can create a schedule task and automate this to create snapshot automatically. One concern is these snapshot are not encrypted so if this gets to wrong hand it is bad for you guys. So try to keep them in a safe location and try to encrypt them for added security.

Giving attention to good old redirusr and redircmp commands

I’ve been meddling with some GPO issues and then came across these 2 commands. These commands has been the with Windows 2000 and 2003. So what bring my attention to these commands is how can you use them to comply with Security auditing. More information about how to use this commands can be found over here.

Well first we’ll take an example about an Enterprise company. Most of the time AD admin will get a mail or a request from HR or from a relevant department requesting to create a new user account. Once you get that request you’ll create those user accounts and by default they will be going to the Users section in ADUC. Due to your busy schedule you’ll forget to transfer the relevant user account to the correct OU. Event though this will be a matter of few hours or few days delay moving the account to relevant OU in computer security wise big risk!

One way I can think of eliminating or minimizing is whenever you create new user account or new computer added to the domain they will be moved to a different OU which have unique GPO’s assign to them. So in that particular GPO you can edit the security setting which will comply with the company IT security policy and give minimal user rights until user account moved to correct OU 🙂

In a nutshell this will be seen as a simple thing but overall compared to IT security a big step. So go ahead roll your sleeves and give it a try in your company network and be safe!

Bring your Own Computer (BYOC) to work

Well this has been once debatable question or rather I would say adoptable method carried out by some companies. Microsoft,Intel & Citrix are some companies who adopt this and they have already carried it out in several region offices. Recent economic situation has given most employees green light for this. In a way I see this as a good thing and I started adopting this almost before big companies decide about it. Actually in year 2007 🙂

We as technical persons cannot be locked down for 8 –5 usual office work hours, sometimes we work from home and until late night. Apart from that companies prefer to get maximum benefits out of the employees apart from that HR keeps on trying making the life comfortable for the work force. (Weather they success or not is a different question) My point is everyone want to be happy and still not compromise the rules right? Well in that case BYOC is a good method for several reasons,

1. Employees will have their personal laptop and can work from anywhere, which I call freedom and flexibility

2. Employer cannot afford all the latest hardware to be given to employees all the time to carry out their work and replacing the hardware annually. But they can lend some money to employees to have their own machine with certain legal condition, and this will be fraction of the cost of their annual IT budget.

3. Employees have the flexibility to work and same time have break and use it more meaningfully to interact with friends and colleagues via MSN, other IM’s and social networks. (Eg: Face Book) I know some companies will see FB as a bad thing but again fundamental rules work out over here, trust between employee and the employer. I also agree not wasting time on FB doing farming or playing games in office working hours. Keep that for OOOH (Out Of Office hours)

So on even you’ll can figure out various benefits which is good for both parties. With every new concepts comes some raised concerns and same goes over here.

1. Security – Well this is something for the IT department to come up with. Do you really think BYOC is the only major issue? think about the other methods your network can compromise. What we should really care about is how to make sure company main servers and confidential data can be secured properly. I have seen many times it comes to the boiling point of servers not been secured with the recommendation security patches and security policies. Now it’s time to go and have  a second look at the security aspects more deeply.

2. Cost – As I mention this will be lot less if you plan if carefully. Since you’re not going to spend so much money but lend some money for the employee to buy his/her own machine with relevant terms and condition. But please remember this option is not applicable for all the companies and this has to be evaluated even department level as well.

3. Security Policy – Well companies can have that hefty security policy guideline books with them still 🙂 Well my point is you can still apply some general rules and terms and evaluate your security polices and try to balance everything. If you’re so much concern about the desktop environments then this is the time you can even evaluate the VDI (Virtual Desktop Interface) Microsoft and Citrix is offering pretty cool solutions for this. I think the way we moving forward with year 2010 VDI will be a good option for companies to consider.

So in a nutshell those are my opinions about BYOC and I agree with this trend and the question is do you? Share your thoughts about it and see if we can change the working environment for more friendly flexible and sexy!!!! I mean with cool laptop models people 🙂

Supporting Exchange 2007 on Windows Server 2008 R2

Well another good news for customers and partners. Microsoft has demonstrated and proved they are indeed listening to customer and partner feedback. Exchange 2007 product team has taken a decision to support Windows 2008R2 platform. Most of the customers are running Exchange 2007 and they will not have quick plan to move to Exchange 2010 but they will still prefer to have their operating system to have latest version for improved manageability.

More information about this decision has been blogged over here.

Bring your Own Computer (BYOC) to work

Well this has been once debatable question or rather I would say adoptable method carried out by some companies. Microsoft,Intel & Citrix are some companies who adopt this and they have already carried it out in several region offices. Recent economic situation has given most employees green light for this. In a way I see this as a good thing and I started adopting this almost before big companies decide about it. Actually in year 2007 🙂

We as technical persons cannot be locked down for 8 –5 usual office work hours, sometimes we work from home and until late night. Apart from that companies prefer to get maximum benefits out of the employees apart from that HR keeps on trying making the life comfortable for the work force. (Weather they success or not is a different question) My point is everyone want to be happy and still not compromise the rules right? Well in that case BYOC is a good method for several reasons,

1. Employees will have their personal laptop and can work from anywhere, which I call freedom and flexibility

2. Employer cannot afford all the latest hardware to be given to employees all the time to carry out their work and replacing the hardware annually. But they can lend some money to employees to have their own machine with certain legal condition, and this will be fraction of the cost of their annual IT budget.

3. Employees have the flexibility to work and same time have break and use it more meaningfully to interact with friends and colleagues via MSN, other IM’s and social networks. (Eg: Face Book) I know some companies will see FB as a bad thing but again fundamental rules work out over here, trust between employee and the employer. I also agree not wasting time on FB doing farming or playing games in office working hours. Keep that for OOOH (Out Of Office hours)

So on even you’ll can figure out various benefits which is good for both parties. With every new concepts comes some raised concerns and same goes over here.

1. Security – Well this is something for the IT department to come up with. Do you really think BYOC is the only major issue? think about the other methods your network can compromise. What we should really care about is how to make sure company main servers and confidential data can be secured properly. I have seen many times it comes to the boiling point of servers not been secured with the recommendation security patches and security policies. Now it’s time to go and have  a second look at the security aspects more deeply.

2. Cost – As I mention this will be lot less if you plan if carefully. Since you’re not going to spend so much money but lend some money for the employee to buy his/her own machine with relevant terms and condition. But please remember this option is not applicable for all the companies and this has to be evaluated even department level as well.

3. Security Policy – Well companies can have that hefty security policy guideline books with them still 🙂 Well my point is you can still apply some general rules and terms and evaluate your security polices and try to balance everything. If you’re so much concern about the desktop environments then this is the time you can even evaluate the VDI (Virtual Desktop Interface) Microsoft and Citrix is offering pretty cool solutions for this. I think the way we moving forward with year 2010 VDI will be a good option for companies to consider.

So in a nutshell those are my opinions about BYOC and I agree with this trend and the question is do you? Share your thoughts about it and see if we can change the working environment for more friendly flexible and sexy!!!! I mean with cool laptop models people 🙂