Microsoft has wunderfull products, and Windows Server 2003 is one of them.  For some purposes I find it even better then the Windows 2008 version, but that's another story. Stable as it is, the R2 version a bit more, I can recomment the use of it to anyone. It's cheaper that W2K8 and that also counts today. Why buy a new license when you allready have one. The only real problem is that the normal W2K3 version will be end-of-life soon. In this article I like to share with you, a handy command set to take a snaphot of your Active Directory and some ways you can use this. You can use these command in Windows Server 2008 versions as well.

First you have to think about the time you are going to keep the complete AD backup. Most of the times 7 days will be more than enough, to tackle major faildowns or complete recovery. Underneath I used the 7 days as an example, but feel free to make more if you want to. It takes some diskspace, but if your having a large Active Directory with lots of changes, it might be necessary. We are going to use the ntdsutil.exe for this, which is a very powerfull tool. Ntdsutil has several modus and buildin functionality which every system administrator should at least be familiar to. 

Now how are you going to do this:
Logon to a server which as the role of a Domain Controller with administrative rights.
Create some kind of mapping on your operating system drive, I often use one called "Scripts".
Create a batch file and give it a logical name like CreateADSnapshot.bat
Put in the command: C:\Windows\system32\ntdsutil.exe sn "ac i ntds" create q q
Save this file and run it 7 times to create youre baseline backup, or run it manually 7 times.

Create another batch file and give it a logical name like DeleteADSnapshot.bat
Put in the command: C:\Windows\system32\ntdsutil.exe sn "List All" "Delete%1" q q
Save this file as well.

What did we do now? We manually, created 7 full snapshots of the Active Directory. The snapshot numbers are added up, and therefore, in order to throw away the oldest, you have to remove the first one. Thats what we do with the second batchfile which deletes %1. As snapshot are automatically renumbered, the %1 will always be the oldest.

You can create a single batch file for these commands as well and put it into a scheduled task, that runs every day on hours that the server had almost nothing to do. This way you don't have to worry about it anymore, but it is a good thing to check it regulary, if your system monitoring doesn't do that allready.

When your Active Directory fails, call in a professional to restore these snapshots for you. For those who want to do it yourself, check another article I wrote on authoritatives restores on Active Directory, but you can find it anywhere on internet as well. Lets all be happy you can disable accidental deleting of Organizational Units and Users in Active Directory 2008 nowadays! That is a wunderfull new functionality that Microsoft has put in there since the Active Directory 2008 level.

Hope this will help you creating a more stable, or secure environment.
You will be happy you did implemented this, when your Active Directory fails working.

Printscreen: Not available


Ben OostdamBen Oostdam has been working with Windows systems since 1993. Worked for several companies as a system administrator, and is currently a Senior Support Engineer for a large company in the Netherlands.

Disclaimer: The information contained in this website/article is for general information purposes only. The information is provided as is, by Ben Oostdam and while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk. In no event will we be liable for any loss or damage including without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of, or in connection with, the use of this website. Through this website you are sometimes able to link to other websites which are not under my control. I have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, I take no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control. All entries in these articles, are my individual opinion, or from co-writers and they don't necessary reflect the opinion of my employer.


Friday the 7th, May 2021. All rights reserved.. // Oostdam WebDesign