AD Snapshots! (and the recycle bin)

First things first, if you have your Active Directory (AD) environment on 2008 R2 or newer and do NOT have the AD Recycle Bin enabled yet – stop what you are doing and enable it now!


I had a great time attending the TechMentor 2014 conference in Orlando, FL this past week. One of my more important takeaways was AD Snapshots.

As it turns out, in Server 2008 a new utility was provided for AD that allowed you to take snapshots via command line. You can then mount these snapshots (to a port # not in use) and access historical read-only data. This is particularly great and useful when recovering AD Attributes. If you need to recover a deleted item, the AD Recycle Bin is what you need to use. If you have an attribute that has been corrupted, deleted, etc – AD snapshots is where it’s at.

I highly recommend checking out Ashley McGlone’s blog post on AD Snapshots and utilizing the functions he wrote and provided to the community. One gotcha however, is that they are currently not supported if your AD environment was installed to a drive other than the default of C.

So if on this page – if you changed the install directory to something other than C: – be sure to keep reading.



Within the function set provide, you have 7 functions:

These functions work

  • New-ADSnapshot
  • Show-ADSnapshot
  • Remove-ADSnapshot
  • Dismount-ADDatabase

These functions do NOT work

  • Mount-ADDatabase (must do DSAMAIN from CMD manually)
  • Repair-ADAttribute (will have to manually script out repairs)
  • Repair-ADUserGroup (did not actually test – but assuming it does not work since Repair-ADAttribute didn’t work)

Setting Up Snapshots

The first thing you will want to do is schedule snapshots. I did this simply but running the following PowerShell script once a day. Note: I am running this as a domain admin from a utility server as a scheduled task. This is all covered in more detail in Ashley’s blog post referenced above.


$s = New-PSSession -ComputerName
Invoke-Command -Session $s -FilePath ‘C:\filepath\AD_Snapshot_Functions\AD_Snapshot_Functions.ps1’
Invoke-Command -Session $s -ScriptBlock {new-ADSnapshot}
Invoke-Command -Session $s -ScriptBlock {Remove-ADSnapshot -Keep 5 -Last} -ThrottleLimit 1
Remove-PSSession $s


*Be sure to do some testing with the snapshots to see how much space they take up – don’t shoot yourself in the foot!

**Also, I apologize for the formatting above. If you have PowerShell experience you should be able to tell that lines 2 and 3 are actually one line.


Accessing the Snapshots

If you installed to the C: drive you are in luck. The AD Snapshot Functions are tailored to you and will work out great! Please see here for more details.

If you are like me and got too fancy and installed AD somewhere else; I’m here to help.

First thing you will want to do is open a command prompt and mount your snapshot (assuming you took one already).


Now that it is mounted, run the following command. Make sure it is from CMD and not PowerShell – I made that mistake and it would not work.

Note: You have to type ‘quit’ twice to get out of ntdsutil


*please insert the name of YOUR snapshot into the line above ($SNAP_******************). The rest of the command should stay the same.

Once this runs, DO NOT close CMD. Leave it running or you will lose your session into your snapshot. At this point you can open PowerShell and utilize the AD module to query the snapshot or you can open ADUC (Active Directory Users and Computers) and access it. You just have to specify the port you used. In the example above I used 33389.


PowerShell: get-aduser ada21_test -properties description,office,homepage,officephone -Server localhost:33389

^This will query the snapshot. Just remove the :33389 portion to query the live AD DB.

ADUC: Open ADUC > right click on the domain > change DC > enter in localhost:33389 and connect to it. You will now have an active GUI to navigate the snapshot.


^for the purposes of testing, I manually changed information on the user above after taking the snapshot


When you are done, you can just run Dismount-ADDatabase (AD function) from PowerShell or from CMD – ntdsutil > snapshot > unmount *. You can also close out of the CMD that has DSAMAIN open in it.



…And that’s it!

Remember, enable AD Recycle Bin and start taking AD Snapshots TODAY! It will help make small recoveries much much quicker.


Leave a Reply

Your email address will not be published. Required fields are marked *