Mount ADDS in a "isolated" instance

If you wish to create a "copy" of your ADDS service to perform auditing on the "copied" version you need to get your NTDS.dit file to the server you wish to run dsmain.exe on, now by default you will not get this utility.

Problem : no dsamain.exe

You will require dsamain.exe but for this you will notice there is no dsamain.exe installed on the system, so you have killed your own party before it has begun as you can see:

Note: You cannot copy dsamain.exe from a working ADDS server as it will have a number of required DLL files and other SYS files that are required!!!!


Prepare Server for dsmain.exe

You need to get a server to a point where it has the ADDS role but its not "pre-configured" if you do that, it will be become an actual domain controller which is not the intention, so thsi is the usual command to install ADDS:

Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools

However we do not need the management tools as its not actually going to be a ADDS server, we are only mounting the ADDS database on a custom port, so we need this command, aka no management tools:

Install-WindowsFeature -Name AD-Domain-Services

When this role is installed, if you start Server Manager you will notice it will say this, remember not to follow this though as we do not want a official functioning Doman controller:


Check for dsamain.exe 

You should now have the option to use dsamain.exe from the command prompt which you can test with that actual command like this:


Excellent, we can now move on to the next section of this guide to mount the ntds.dit file.

Server Backup and VXHD 
Mounting

If you use server backup to manage your backups, then you can back these files to a network location so from the server backup manager, so to check this location open up the backup manager and choose local backups (if remotely connecting its still called local backups)

Then under "All Backups" if you are backing up to a network share you will only see one backup as each backup overrides the older version, this is the case here - so click on the "View Details"



This will show you the details of the backup location here in the green box, under the values I have redacted:




Then if you browse to that location you will notice it looks like this and you will notice that you have a buck of VHDX files which is perfect, however it’s not so easy to understand which .vhdx file represents which backup because the Date modified attribute is updated when Windows Server Backup modifies each file.


Now notice that we have 3 VHDX files as you can see below:



Quickly go back to Windows Server Backup and then under the Last Backup click on View details as below:


That will show you the status of the backup and more importantly the disks that have been backed up in the backup:


Lets bring the 3x VHDX files back and now we can make sense of them from the image above:



In my example the GUID will look like this due to the sizes:

76686bab-6a6c-11e7-80b4-806e6f6e6963 - System Drive (C:)
3c5d5047-6a6d-11e7-80b5-0017a477042a - NTDS Logs (E:)
3c5d503d-6a6d-11e7-80b5-0017a477042a - NTDS Database (D:)

Therefore, I need to mount the two files that reference the ADDS database and log files to do this, open Disk Management with administrator privileges then:
  1. In Disk Management, select Attach VHD from the Action menu.
  2. In the Attach Virtual Hard Disk dialog, click Browse and select the .vhdx file you want to mount.
  3. Click OK.
  4. The new disk will appear in Disk Management but without a drive letter. To assign a drive letter, right-click the drive in the Volume column and select Change Drive Letter and Paths… from the menu.
  5. Choose a relevant drive letter
We will need to do this twice one for the NTDS Logs and one for the NTDS Database

That should look like this, and yes I know these do not have a drive letter (not required the illustrative images)....


Now we can move on, Skeletor.

Mount ntds.dit in dsamain

Now you need to mount the file which you can do with this command, ensure you use an elevated command prompt.

dsamain /dbpath <ntds>path> /logpath <log_path> /ldapport 5050

That should look like this, and you need to leave this command prompt running for ADDS to stay online.

Note : You need to see the "startup complete" before you can connect to it


Access and manage via Active Directory Users and Computers

  1. Start Active Directory Users and Computers from dsa.msc in the Run box
  2. Select Change Domain Controller… from the menu.
  3. In the Change Directory Server dialog, check This Domain Controller or AD LDS instance.
  4. Click <Type a Directory Server name[:port] here>  as below


  5. Type the name of your server and port number as shown in the screenshot below.



  6. Click OK.

You are now connected to the backup copy of AD as mounted by "dsamain" which you will see when you accept the connection:


Query Users in that ADDS instance

Get-ADUser -Identity adadmin -Properties * -Server <mounted_instance_ip>:5050

Previous Post Next Post

Ω†Ω…ΩˆΨ°Ψ¬ Ψ§Ω„Ψ§ΨͺΨ΅Ψ§Ω„