Skip to main content

Backup and Restore AD LDS with DSDBUTIL.exe

Active Directory Lightweight Directory Services allow you to create a directory service that allows applications to have access to user accounts, groups, and authentication similar to Active Directory Domain Services.  The big advantage here is that the schema of the directory service will not be bound by the rules of an Active Directory database.  Exchange 2007/2010, for example, use an instance of AD LDS on the Edge Transport Server to provide for user authentication from the internet.  Because your Active Directory database is not exposed to the internet, this is more secure.

Applications will handle most of the dirty work should they require AD LDS.  You may want to make sure the database is being backed up and also have a restore plan in place.  Should the database become corrupt, the application that uses that database will fail.  This document will walk you through backing up and restoring an instance of AD LDS using the dsdbutil.exe command.

First off, we have an AD LDS instance called ContosoApplication.
image

Log into the server that is hosting the AD LDS instance with an account that has permissions to back up the AD LDS data.

Click Start, type cmd and press Enter.

Type dsdbutil and press enter.

Now type activate instance instance name; and press Enter in our example, the instance name is ContosoApp1.  The instance name was created when the instance was itself created.
image

Now type ifm and press Enter

Type Create full location; where location; is the path and file name you wish to use for the backup. In this example, I used create full ContosoApp1Backup and pressed Enter.
image

Type quit and press Enter.  Do this again to exit dsdbutil

Since a path was not specified for the backup location, it was stored at c:\Users\Administrator\ContosoApp1Backup since this was the account we were using during the backup.  In reality, you would use another location.  If you open this folder you will see the database file adamntds.dit.

Let's now simulate some type of database corruption. I deleted the two user accounts of Jerry and Bert from the AD LDS instance using the ADSI Editor.
image

We are now going to restore the lost objects from our AD LDS instance.

Click Start. Type Services.msc and press Enter.
We need to stop the service that is running the instance of AD LDS we are about to restore.  Find ContosoApp1 in the list of services.  Right click it and select Stop.
image

We now need to delete the current instance and log files of the AD LDS instance you wish to recover.  If the files are stored in the default location, they will be at %ProgramFiles%\Microsoft Adam\instance_name\data\adamntds.dit.  For our example we need to type del “c:\Program Files\Micarosoft Adam\ContosoApp1\data\*.*” and press Enter.

Type Y and press Enter.

image

Next we need to copy the backed up data to this location.


xcopy /os C:\Users\Administrator\ContosoApp1Backup\adamntds.dit “%ProgramFiles%\Microsoft Adam\ContosoApp1\data\adamntds.dit”

Type F

image

Click Start. Type Services.msc and press Enter.

Right click ContosoApp1  and select Start

Going back to ADSI Editor and doing a refresh, we see that our lost objects have been restored.

image

Comments

Unknown said…
Where can I download software like this one? I'm a bit confuse on how to use it.
JM,

Active Directory Light Weight Directory Services (AD LDS) is a role on Windows Server 2008 and Windows Server 2008 R2. You merely need to go into your Server Manager, Click Roles, and then click Add Roles. You will see AD LDS listed. Please visit the Microsoft website on AD LDS for more information.

http://technet.microsoft.com/en-us/library/cc755080(WS.10).aspx

http://technet.microsoft.com/en-us/library/cc754361(WS.10).aspx
dreamland said…
Hi Jason,

Nice work here ... :)
I need to do the same procedure but with a small change. I want to backup from one server and restore on another one. And on top of that the source AD LDS is a domain machine (not controller), the destination is not. The purpose is to be able to give developers the backup in order to restore it locally on theirs computers for testing.
The backup is fine, but after I restore it and go to ADSI Edit in the partition I don't see all the objects like on the source, for example the attributes are missing.
This is driving me mad ...

Any idea why ?

PS: Followed these links:

http://technet.microsoft.com/en-us/library/cc730941%28WS.10%29.aspx
http://technet.microsoft.com/en-us/library/cc770886%28WS.10%29.aspx

PPS: The source server is 2008 R1, destination is 2008 R2 or win7.
Dreamland,

Just curious, but are the missing objects anything that you pulled from ADDS, like a AD user or Group?

Jason
Anonymous said…
What is the abbreviation of ifm?
IFM stnads for "Install From Media".

Popular posts from this blog

Adding a Comment to a GPO with PowerShell

As I'm writing this article, I'm also writing a customization for a PowerShell course I'm teaching next week in Phoenix.  This customization deals with Group Policy and PowerShell.  For those of you who attend my classes may already know this, but I sit their and try to ask the questions to myself that others may ask as I present the material.  I finished up my customization a few hours ago and then I realized that I did not add in how to put a comment on a GPO.  This is a feature that many Group Policy Administrators may not be aware of. This past summer I attended a presentation at TechEd on Group Policy.  One organization in the crowd had over 5,000 Group Policies.  In an environment like that, the comment section can be priceless.  I always like to write in the comment section why I created the policy so I know its purpose next week after I've completed 50 other tasks and can't remember what I did 5 minutes ago. In the Group Policy module for PowerShell V3, th

Return duplicate values from a collection with PowerShell

If you have a collection of objects and you want to remove any duplicate items, it is fairly simple. # Create a collection with duplicate values $Set1 = 1 , 1 , 2 , 2 , 3 , 4 , 5 , 6 , 7 , 1 , 2   # Remove the duplicate values. $Set1 | Select-Object -Unique 1 2 3 4 5 6 7 What if you want only the duplicate values and nothing else? # Create a collection with duplicate values $Set1 = 1 , 1 , 2 , 2 , 3 , 4 , 5 , 6 , 7 , 1 , 2   #Create a second collection with duplicate values removed. $Set2 = $Set1 | Select-Object -Unique   # Return only the duplicate values. ( Compare-Object -ReferenceObject $Set2 -DifferenceObject $Set1 ) . InputObject | Select-Object – Unique 1 2 This works with objects as well as numbers.  The first command creates a collection with 2 duplicates of both 1 and 2.   The second command creates another collection with the duplicates filtered out.  The Compare-Object cmdlet will first find items that are diffe

How to list all the AD LDS instances on a server

AD LDS allows you to provide directory services to applications that are free of the confines of Active Directory.  To list all the AD LDS instances on a server, follow this procedure: Log into the server in question Open a command prompt. Type dsdbutil and press Enter Type List Instances and press Enter . You will receive a list of the instance name, both the LDAP and SSL port numbers, the location of the database, and its status.