Windows 2008 introduced new features called Active Directory snapshot.As a usage of this features we can mount read only copy of ADDS database using different port.This will allow us to recover\retrieve data from the previously taken state of the Active Directory.

Why we need ADDS Snapshot?

We can easily export and recover deleted data from the Snapshot

We can retried some changed data from the snapshot

Step by steps for AD Snapshot

1.This is the active directory we are going to use for this LAB

2. To enable and create AD snapshot we have to use "NTDSUTIL" tool.Open command prompt with privileged mode and type "NTDSUTIL" and press enter

3. Type "Snapshot" and press enter

4. Using "Help" command we can get available commands with the "NTDSUTIL"

5. Type "Activate Instance NTDS"

6. Type "Create" and press "Enter" for create a snapshot

7.  Now snapshot is creating

8. Using "list all" command we can see the available snapshots with the active directory,using "Mount" command with snapshot's GUID we can mount that snapshot also

9. Open seperate command prompt and type "dsamain -dbpath c:\$snap_2014113011043_Volumec$\windows\NTDS\ntds.dit -ldapport 50000"

* this path would be changed depend on the server\configuration

10. Now we are going to delete some objects from active directory

11. Using active directory console now we can connect to the snapshot, for that right click on the "Active directory domain name" and select "Change Domain Controller"

12 Type the server name and given ldap port no

13. Now we can see deleted objects with the previous snapshot

14. Using power shell also we can retrieve the data on the previous snapshot

15. Finally we can un mount the snapshot
on the NTDSUTIl we can go to the snapshot sub menu and type "unmount GUID"