Skip to content

Simple Step : Create a snapshot of AD DS in Windows Server 2012 R2 by using NTDSUTIL

August 13, 2013

Hi all,

Today lets go through a very simple step today on how to create a snapshot of AD DS in Windows Server 2012 R2

But 1st, what’s snapshot and what’s NTDSUTIL?

NTDSUtil in Windows Server 2012 can create and mount snapshots of AD DS.

A snapshot is a form of historical backup that captures the exact state of the directory service at the time of the snapshot.

You can use tools to explore the contents of a snapshot to examine the state of the directory service at the time the snapshot was made, or connect to a mounted snapshot with LDIFDE and export a reimport objects into AD DS.

For this short demo, I use my DC01.comsys.local server.

Lets get started…

1 – On the domain server, which is my DC01.comsys.local, open command prompt and type ntdsutil and press enter…


2- Next, type snapshot and press enter…


3 – Next, type activate instance ntds and press Enter…


4 – Next, type create (this create command is to generate a snapshot of my AD) and press Enter…


5 – Next, make sure you copy the copy the GUID somewhere (highlight the GUID and then copy)…


6 – Next, type quit 2 times to exit from snapshot…


7 – Now, lets make some change to my ADDS by deleting 1 of my AD user, for this demo, I choose my user from Research department…



Once you deleted the user, you need to mount an Active Directory snapshot, and create a new instance so that later we can retrieve back the deleted user…

8 – in CMD, type ntdsutil, then snapshot, then type activate instance ntds, then type list all (please refer to my screen shot)…


9 – Next, you need to mount GUID no (please refer to my screen shot), type mount <GUID> no and press enter…


10 – once successful, exit the process by typing quit 2 times…


11 – Next, on the CMD, type dsamain /dbpath C:\$SNAP_datetime_volumec$\windows\ntds\ntds.dit /ldapport 50000

** be aware that datetime will be a unique value. There only should be one folder on your C:\ drive with a name that begins with $snap.


12 – Leave Dsamain.exe running, and do not close the CMD…

** A message indicates that Active Directory Domain Services startup is complete…


13 – Next, lets explore a snapshot with Active Directory Users and Computers, on the ADUC, right click Comsys.local and click Change Domain Controller


14 – type DC01:50000 on the <Type a Directory Server name[:port] here>, then click OK…


15 – Next, browse to Research OU and you will notice that our deleted user is now back online


16 – our last step is to unmount an Active Directory snapshot

on the command prompt, press CTRL+C to stop DSAMain.exe


17 – then wrap up the whole process, on the CMD, type :

activate instance ntds
list all
unmount guid (guid is the GUID of the snapshot)
list all




  1. Good Article!!!!!….helps me a lot to understand the step by step process of Snapshot; However I have a question that we know snapshot copy is read only but we can restore the objects to our live AD Database by Connecting to the mounted snapshot, and export/re-import objects with LDIFDE
    . So could you describe this process for me?
    Thanks a ton….

  2. Zaheed permalink

    Good effort..!! Thank you

  3. True answers, well done ladies and gentlemen, you are so helpful.

  4. Nice article!!! It helps me understand the mount process en the difference between dsamain and ntdsutil.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: