Tuesday, September 21, 2010

Offline spelunking of Active Directory - setup

Needed to extract some historical information from Active Directory (AD) backups stored in NTBackup BKF files.  First challenge was extracting the NTDS.DIT from the BKF.  How do I get that snapshot loaded up so I can query the backup?  I didn’t find a way to directly query for results from the NTDS.DIT without loading it into a running Domain Controller (DC) instance.

  My approach is loosely modeled on the technique outlined at technet to “mount” a snapshot in VMWare Workstation on a server configured as a DC that closely models the forest structure of the targeted AD backup.  I’d prefer to use a clone or image from the actual DCs but I can not disturb the online production environment.

I set up a VMWare team consisting of a Win 2008 R2 x64 server configured as a DC and a Vista x86 32-bit Workstation with Windows Server 2008 Remote Server Administration Tools; Active Directory Explorer and some custom/hand built ADSI based tools.  I’ll be pushing tests of the custom tools from Visual Studio on the host to the virtualized Vista box in the team because I don’t want to directly mess with the virtualized DC.  Now to get the directory backup loaded so I can do some offline spelunking.

No comments: