Active Directory
- By Orin Thomas
- 2/25/2026
Active Directory snapshots
You can use ntdsutil.exe to create snapshots of the Active Directory database. A snapshot is a point-in-time copy of the database. You can use tools to examine the contents of the database as it existed at that point in time. It’s also possible to transfer objects from the snapshot of the Active Directory database back into the version currently used with your domain’s domain controllers. The AD DS service must be running to create a snapshot.
To create a snapshot, execute the following command:
A GUID identifies each snapshot. You can create a scheduled task to create snapshots on a regular basis. You can view a list of all current snapshots on a domain controller by running the following command:
To mount a snapshot, make a note of the GUID of the snapshot that you want to mount and then issue the following command:
When mounting snapshots, you must use the {} braces with the GUID. You can also use the snapshot number associated with the GUID when mounting the snapshot with the ntdsutil.exe command. This number is always odd.
When the snapshot mounts, take a note of the path associated with the snapshot. You use this path when mounting the snapshot with dsamain. For example, to use dsamain with the snapshot mounted as c:\$SNAP_201212291630_VOLUMEc$\, issue this command:
)
You can choose to mount the snapshot using any available TCP port number; 50000 is just easy to remember. Leave the PowerShell windows open when performing this action. After the snapshot is mounted, you can access it using Active Directory Users And Computers. To do this, perform the following steps:
Open Active Directory Users And Computers.
Right-click the root node and select Change Domain Controller.
In the Change Directory Server dialog, enter the name of the domain controller and the port, and select OK. You can then view the contents of the snapshot using Active Directory Users And Computers in the same way that you would the contents of the current directory.
You can dismount the snapshot by using Ctrl+C to close dsamain, and then executing the following command to dismount the snapshot:
)