Using Dsamain to Find the Right Backup

Windows 2008 includes some new tools for working with backups of the Active Directory database. One of these is the Dsamain.exe tool which can create LDAP instances from snapshots of the Active Directory database that you can then browse with standard tools like Ldp.exe or Active Directory Users and Computers.

One of the situations you hear given as an example of how Dsamain can be helpful is when you have multiple backups of a domain controller and you want to view the contents of those backups. If you are new to this process, it may not be readily clear how can you view the contents of the Active Directory database in a backup. After all, Windows Server Backup creates its backups in a VHD file. How the heck are you suppose to view the Active Directory database?

Option 1: Attach the VHD Containing the NTDS.DIT File

A new feature of Windows 2008R2 and Windows 7 is the built-in ability to attach VHD files. Attaching a VHD file assigns it a drive letter and makes it accessible like any other volume on your machine.

The easiest way to attach a VHD is to use the Disk Management MMC. Right-click Disk Management and select Attach VHD.

Once you attach the VHD, you can browse the VHD like any other drive. You will need to copy the path of the ntds.dit file for use later with Dsamain.

In Windows 2008 you can install VHDMount to attach VHD files or you could restore the Active Directory to an alternate location.

Note: VHDMount is part of Virtual Server 2005 which can be downloaded at

To install just VHDMount, perform a custom installation.

Option 2: Restore the Active Directory from Backup

The quickest method of extracting just the Active Directory files from a backup that contains the system state would be to use Wbadmin like so:

wbadmin start recovery -version:<versionID> -itemType:App -items:AD -recoveryTarget:<pathToAlternateRestoreLocation>

You could also do a system state restore to an alternate location, but that would take a bit longer. For example, you can use wbadmin start systemstaterecovery -version:<version ID> -backupTarget:<path where backup is stored> -recoveryTarget:<path to alternate location>

Either way, once the Active Directory files are restored to this alternate location, from a command prompt you can use Dsamain to mount the ntds.dit file:

Creating an LDAP Instance with Dsamain

When you have either attached the VHD or extracted the system state from backup, you can use the path to the ntds.dit file with Dsamain to create a new LDAP instance:

dsamain /dbpath <path to restored ntds.dit> /ldapport 50000

Once mounted, you must leave the command prompt window open for as long as you want to work with this instance. You can use a tool like Active Directory Users and Computers to connect to this instance to view the contents. Use the “Connect to domain controller” option and specify the DC to connect to as hostname:portnumber where portnumber is the port you used with Dsamain.

Now if you have multiple backups of a domain controller and you are not sure what objects they contain, you have a way of selecting the correct backup easily without any downtime. In previous versions of Windows you would have had to boot into DSRM, restore the system state, and then reboot into Windows to view the contents of what was restored. You’d also probably have to pull the network cable of the machine you restored so you can view the contents before replication takes place and you are back to square one.

Dsamain and Windows 2003 Active Directory Databases

The cool thing about Dsamain in Windows 2008 is that you can also mount ntds.dit files from Windows 2003 DCs. So, if you have a 2008 server in your domain it’s possible to browse the contents of the database without resorting to the above mentioned procedure of booting into DSRM and restoring.

Again, you can restore the system state using NTBackup to an alternate location on the Windows 2003 machine. Then copy the ntds.dit file over to your Windows 2008 machine and run Dsamain as follows:

dsamain /dbpath “path to ntds.dit” /ldapport 50000 /allowUpgrade

You may receive the following error when attempting the above command:

Error value: -544 JET_errSoftRecoveryOnBackupDatabase, Soft recovery is intended on a backup database. Restore should be used instead

In that case, you will need to run a hard repair on the DIT file. You can do this by running esentutl /p “path to ntds.dit”

After you repair the file, try mounting it again with Dsamain.

Also, one last switch that may be important. If you are attempting to look at an Active Directory database that is from another domain, you will need to use the /allowNonAdminAccess switch. Otherwise you will get an authentication error when you try view the contents of the database using a tool like Active Directory Users and Computers.

Additional Reading

Windows Server 2008 – Reanimating Objects and Restoring additional Information

Restoring 2003 AD Objects using Windows 2008 Server

This entry was posted in Active Directory, Disaster Recovery. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s