DSCT 1.1 – Restore from snapshot to Active Directory

April 14th, 2008 by Fredrik Lindström in Windows Server 2008

There is a new version of DSCT available which offers the following functionality

Displays differences between objects in Active Directory and snapshots (Windows Server 2008 feature)
Reanimate deleted objects
Restore attribute values from snapshots to Active directory

Download

A more recent version is available

Requirements

DSCT does not have to be installed on the same machine as an Active Directory DC, it can run on a separate machine.

Testing so far

x86 and x64 versions tested on Windows Server 2008 x64
Locally on a DC and on a separate (non domain joined) machine
Restore functionality has been tested on several attributes including ntSecurityDescriptor, multi-value attributes like member and more normal ones like givenName, sn, accountExpires, etc.
Reanimation functionality has been tested on users, groups and organizationalUnits.

Known issues with this release

GUI: Values for certain attribute types are not correctly displayed in DSCT. This is a GUI issue and does not affect the restore functionality. Values, whichever type they may be, are correctly read from the snapshot and written to the DC.
Restore: In a restore scenario there currently is no way to know which attributes are writable and which are not. SystemOnly attributes are grouped together visually since these can not be updated, at least not directly (you may try and be entertained by the error messages). Other attributes may appear as writeable from a security standpoint (as reported by allowedAttributesEffective), from a technical standpoint the story might look different. If a non-writable attribute is selected among one or more writeable ones during a restore the operation will fail and no values will be restored.
User rights requirements: Currently you need fairly high access rights in Active Directory (and the snapshot) to successfully make comparisons. It has successfully been tested with Domain Admin level rights. Restore functionality requires adequate access rights on the target object.
Recently created snapshots will appear to be more up to date than the Active Directory instance. DSCT has a workaround for this scenario. Read this post for further information.

Have fun!

3 Comments »

Maria Lundahl IT Pro Evangelist : Directory Services Comparison Tool #1 - Comment permalink April 18th, 2008 at 10:26 am

[...] mer på Fredriks blogginlägg om senaste versionen av verktyget, och hämta verktyget här: x86 [...]
Daniel Petri #2 - Comment permalink May 28th, 2008 at 7:54 pm

Hi Fredrik. I’d like to talk to you but I cannot find an email address or contact info anywhere on the site. Please give me a beep when you see this.

BTW, great tool!

Daniel
Fredrik Lindström #3 - Comment permalink May 30th, 2008 at 11:00 am

Thanks Daniel! I sent you an email, hopefully to the correct address.