0

I am trying to automate backups of a Windows 2008 Active Directory database (ntds.dit).

Mounted AD snapshots get created in C:\$SNAPxxxxxxxxxx\Windows\NTDS. The script below works for creating, mounting, unmounting and deleting AD snapshots.

What doesn’t work is the robocopy. Above the robocopy line, I change to the directory containing the mounted snapshot. Then, I tell Windows to copy that directory and its sub-contents (/s) to C:\ad_backups. Instead of copying the contents of the C:\$SNAPxxxxxxxxxx\ directory, robocopy starts copying the entire C: drive to C:\ad_backups. Why? Permissions?

I also found that if you use Windows Explorer to browse to C:\$SNAPxxxxxxxxxx\, that folder appears as a shortcut icon (almost like a symlink in linux). Double-clicking it takes you back to C:\ even though the address bar of Windows Explorer shows C:\$SNAPxxxxxxxxxx.

rem unmount all mounted snapshots if any
ntdsutil snapshot "list all" "unmount *" quit quit
rem delete all existing snapshots if any
ntdsutil snapshot "list all" "delete *" quit quit
rem create a new snapshot
ntdsutil snapshot "activate instance ntds" create quit quit
rem mount the snapshot
ntdsutil snapshot "list all" "mount 1" quit quit
rem Change directory to C:\snapshot_location
cd c:\*snap*
rem copy snapshot contents to C:\ad_backups
robocopy . C:\ad_backups\ /s
rem unmount and delete the snapshot
ntdsutil snapshot "list all" "unmount *" quit quit
ntdsutil snapshot "list all" "delete *" quit quit

UPDATE 2/14/2014

Per @arcesso I changed

cd c:\*snap*

to

cd c:\*snap*\windows\ntds

Now when I try to use dsamain to reveal the information in the backed-up AD snapshot, I receive errors. It seems dsamain only likes to work with snapshots that are mounted via ntdsutil. Additionally, ntdsutil doesn't have the option to change directories to c:\ad_backups to mount a snapshot.

C:\Windows\system32>dsamain -dbpath C:\ad_backups -ldapport 10389
EVENTLOG (Error): NTDS General / Internal Processing : 1003
Active Directory Domain Services could not be initialized.

The directory service cannot recover from this error.

User Action

Restore the local directory service from backup media.

Additional Data

Error value:
-1032 JET_errFileAccessDenied, Cannot access file, the file is locked or in use

EVENTLOG (Informational): NTDS General / Service Control : 1004
Active Directory Domain Services was shut down successfully.

I received the same errors above when making a manual VSS copy of C:\Windows\NTDS* and attempting to use dsamain.

JJBladester
  • 13
  • 1
  • 5

2 Answers2

0

It sounds like you have almost answered your own question. If C:\$SNAPxxxxxxxxxx\ goes to C:\ but you need C:\$SNAPxxxxxxxxxx\Windows\NTDS, why not just go to C:\windows\NTDS and skip over the problem?

Philosophene
  • 202
  • 1
  • 12
  • I changed the path as you suggested but dsamain still can't interact with the backed-up snapshot (see errors above). Any other ideas? – JJBladester Feb 14 '14 at 15:09
0

Got it... I needed to add ntds.dit to the path.

C:\Windows\system32>dsamain -dbpath C:\ad_backups\ntds.dit -ldapport 10389
EVENTLOG (Informational): NTDS General / Service Control : 1000
Microsoft Active Directory Domain Services startup complete, version 6.0.6002.18 781
JJBladester
  • 13
  • 1
  • 5