If you wish to create a "copy" of your ADDS service to perform auditing on the "copied" version you need to get your NTDS.dit file to the server you wish to run dsmain.exe on, now by default you will not get this utility.
Problem : no dsamain.exe
You will require dsamain.exe but for this you will notice there is no dsamain.exe installed on the system, so you have killed your own party before it has begun as you can see:
Note: You cannot copy dsamain.exe from a working ADDS server as it will have a number of required DLL files and other SYS files that are required!!!!
Prepare Server for dsmain.exe
You need to get a server to a point where it has the ADDS role but its not "pre-configured" if you do that, it will be become an actual domain controller which is not the intention, so thsi is the usual command to install ADDS:
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools
However we do not need the management tools as its not actually going to be a ADDS server, we are only mounting the ADDS database on a custom port, so we need this command, aka no management tools:
Install-WindowsFeature -Name AD-Domain-Services
When this role is installed, if you start Server Manager you will notice it will say this, remember not to follow this though as we do not want a official functioning Doman controller:
You should now have the option to use dsamain.exe from the command prompt which you can test with that actual command like this:
Excellent, we can now move on to the next section of this guide to mount the ntds.dit file.
Server Backup and VXHD Mounting
Then under "All Backups" if you are backing up to a network share you will only see one backup as each backup overrides the older version, this is the case here - so click on the "View Details"
Then if you browse to that location you will notice it looks like this and you will notice that you have a buck of VHDX files which is perfect, however it’s not so easy to understand which .vhdx file represents which backup because the Date modified attribute is updated when Windows Server Backup modifies each file.
Now notice that we have 3 VHDX files as you can see below:
That will show you the status of the backup and more importantly the disks that have been backed up in the backup:
Lets bring the 3x VHDX files back and now we can make sense of them from the image above:
In my example the GUID will look like this due to the sizes:
76686bab-6a6c-11e7-80b4-806e6f6e6963 - System Drive (C:)
3c5d5047-6a6d-11e7-80b5-0017a477042a - NTDS Logs (E:)
3c5d503d-6a6d-11e7-80b5-0017a477042a - NTDS Database (D:)
- In Disk Management, select Attach VHD from the Action menu.
- In the Attach Virtual Hard Disk dialog, click Browse and select the .vhdx file you want to mount.
- Click OK.
- The new disk will appear in Disk Management but without a drive letter. To assign a drive letter, right-click the drive in the Volume column and select Change Drive Letter and Paths… from the menu.
- Choose a relevant drive letter
Now we can move on, Skeletor.
dsamain /dbpath <ntds>path> /logpath <log_path> /ldapport 5050
That should look like this, and you need to leave this command prompt running for ADDS to stay online.
Note : You need to see the "startup complete" before you can connect to it
Access and manage via Active Directory Users and Computers
- Start Active Directory Users and Computers from dsa.msc in the Run box
- Select Change Domain Controller… from the menu.
- In the Change Directory Server dialog, check This Domain Controller or AD LDS instance.
- Click <Type a Directory Server name[:port] here> as below
- Type the name of your server and port number as shown in the screenshot below.
- Click OK.
You are now connected to the backup copy of AD as mounted by "dsamain" which you will see when you accept the connection:
Query Users in that ADDS instance
Get-ADUser -Identity adadmin -Properties * -Server <mounted_instance_ip>:5050