A snapshot is a shadow copy—created by the Volume Shadow Copy Service (VSS)—of the volumes that contain the Active Directory database and log files. With Active Directory snapshots, you can view the data inside such a snapshot on a domain controller without the need to start the server in Directory Services Restore Mode.

Windows Server 2008 has a new feature allowing administrators to create snapshots of the Active Directory database for offline use.

With AD snapshots you can mount a backup of AD DS under a different set of ports and have read-only access to your backups through LDAP.

You should take measures to protect AD snapshots in a manner that is similar to protecting your regular DC backups. For example, use encryption or other data security precautions with AD DS snapshots to help mitigate the chance of unauthorized access to them.

There are quite a few scenarios for using AD snapshots. For example, if someone has changed properties of AD objects and you need to revert to their previous values, you can mount a copy of a previous snapshot to an alternate port and easily export the required attributes for every object that was changed. These values can then be imported into the running instance of AD DS. You can also restore deleted objects or simply view objects for diagnostic purposes.

AD snapshots, when mounted and connected to, allow you to see how the AD DB looked like at the moment of the snapshot creation, what objects existed and other type of information. However, out of the box, it does not allow you to move or copy items or information from the snapshot to the live database. In order to do that you will need to manually export the relevant objects or attributes from the snapshot, and manually import them back to the live AD database. You can read more on that in my "Directory Service Comparison Tool" and "Exporting Information from Active Directory Snapshots in Windows Server 2008" articles.

While the process of creating a snapshot, mounting it, connecting to it, disconnecting, unmounting and (perhaps) deleting it may seem a little confusing at first, after running through it a few times you'll get the hang of it. In any case it's a lot better than the alternative - taking down the DC, rebooting into DSRM, restoring the System State from a backup, and then exporting the attributes.

Here's how to do it.

La suite ici :