News:

MyKidsDiary.in :: Capture your kids magical moment and create your Online Private Diary for your kids

Main Menu

Windows Server 2008 Active Directory Database Mounting Tool

Started by ganeshbala, Mar 27, 2009, 01:52 PM

Previous topic - Next topic

ganeshbala

Windows Server 2008 Active Directory Database Mounting Tool

Windows Server 2008 aims to improve recovery processes for Active Directory Domain Service (AD DS) and Active Directory Lightweight Directory Services (AD LDS). In Windows Server 2008, you can now take point-in-time snapshots of the data that is stored in AD DS or AD LDS. Furthermore, Windows Server 2008 includes a new Active Directory database mounting tool, which allows you to mount the snapshot. This new functionality provides administrators with the ability to view AD DS and AD LDS data, as it existed at different times, thus effectively arming you with better means to deal with the recovery of AD DS and AD LDS data.
Snapshots

The Windows Server 2008 version of the Ntdsutil.exe command-line tool includes a new operation, called snapshot, which provides the ability to create snapshots of AD DS and AD LDS data. The Ntdsutil.exe snapshot operation can be used to create point-in-time snapshots of AD DS and AD LDS data. You can also schedule a recurring task (e.g., using Task Scheduler) that uses Ntdsutil.exe to create snapshots.

You are not restricted to the use of snapshots that were created by using the Ntdsutil.exe snapshot operation. You can use any backup of an AD DS or AD LDS database that uses the Volume Shadow Copy Service (VSS), including Windows Server Backup as well as third-party backup solutions.

Database Mounting

The Ntdsutil.exe snapshot operation also provides the ability to list, mount, and unmount snapshots of AD DS and AD LDS data. If you incorporate this new functionality into your disaster recovery plan for AD DS or AD LDS, you will likely have multiple snapshots of AD DS or AD LDS data. The Ntdsutil.exe snapshot operation provides the ability to list all snapshots so you can determine which snapshot you need to work with. Once you have identified the appropriate snapshot, you must mount the snapshot before you can continue. Mounting and unmounting snapshots is also performed using the Ntdsutil.exe snapshot operation.

ganeshbala

Exposing a Snapshot as an LDAP Server

After you have created one or more a snapshots, and you know which snapshot you plan to work with, you must expose that snapshot as an LDAP server before you can view the data stored in the snapshot. Windows Server 2008 includes a command-line tool, called Dsamain.exe, which provides the ability to expose snapshots as an LDAP server. Dsamain.exe can be used to expose AD DS and AD LDS snapshots as an LDAP server. When running the Dsamain.exe command-line tool, you must specify the path to the AD DS or AD LDS database (ntds.dit) file. You can optionally specify where to store the log files and temporary database by using the log path parameter. In most cases, you will view multiple snapshots at the same time. As a result, you must specify which port to use for LDAP communication when exposing the snapshot using Dsamain.exe.

In addition to LDAP communication, LDAP over SSL, global catalog, and global catalog over SSL communication can be used to query a snapshot exposed as an LDAP server. By default, Dsamain.exe will increment the port number by 1 for each of these additional protocols. For example, if you specify port 5000 for LDAP, Dsamain.exe will use 5001 for LDAP over SSL, 5002 for global catalog, and 5003 for global catalog over SSL. You can, however, specify the port numbers to be used for the additional protocols.

Viewing Snapshot Data

The last step in this process is to view snapshot data. After a snapshot has been exposed as an LDAP server, you can use LDP.exe or the Active Directory Users and Computers console to view snapshot data that is exposed as an LDAP server. When you use either of these tools, you must specify the port number used when the snapshot was exposed as an LDAP server.

Conclusion

The introduction of Active Directory database mounting tool provides a means to improve the AD DS and AD LDS recovery processes. This new functionality does not actually permit the recovery of data. However, you can use this functionality to view the state of data in previous snapshots and then decide how to recover the data.

Source : internetnews.com

Ron Wright

I have seen only the briefest description of the -allowUpgrade and -allowNonAdminAccess parameters of dsamain.exe.  Through trial and error I've determined that -allowUpgrade causes dsamain.exe to check the current value of the msDS-GenerationId attribute of the DC object to be checked against the VM Generation ID (vmgenid) and to refuse to mount the database if these are different.  I do not know what other effects -allowUpgrade has.  I know nothing of what the effect the -allowNonAdminAccess parameter has, but I suspect it has something to do with mounting the database for read-only access versus full read-write access (when -allowNonAdminAccess is not used).