CtrlK

LinkedIn X (ex-Twitter)

ENGLISH

ENGLISH

PRESENTATION
Cloud/SysOps
Asset Security
- Securing your BIOS / UEFI
- Smartphones_configuration
GRC
Security Assessment and Testing
FORENSICS
- IR playbook
- Investigate Phishing
INCIDENT HANDLING
UNIVERSITAIRES (unis)
- Books CTI Fundamentals
- Security Certification Roadmap

Powered by GitBook

On this page

CREATING THE BACKUP
BACKUP CONTROL
LIST AVAILABLE BACKUPS
LIST THE CONTENTS OF BACKUPS
NTDS RESTORE
OPENING THE NTDS FILE
RESTORATION VIA EXPORT
BACKUP FUNCTIONALITY LIMITATIONS
ADVANTAGES OF THE BACKUP FEATURE

INCIDENT HANDLING
Restore AD without third party software

BACKUP FONCTIONALITY

We start by adding the backup functionality.

CREATING THE BACKUP

Open the command prompt as administrator.
Enter: wbadmin start systemstatebackup -backuptarget:

Wait

For an AD of several thousand objects, it takes about ten minutes.

BACKUP CONTROL

Go to the backup directory, in my case E:\WindowsImageBackup\NomServeur

Go to the Logs folder.
View the Backup_Error file.

With this log file, it is possible to generate alerts by either inspecting the size or the content.

LIST AVAILABLE BACKUPS

Open the command prompt as administrator.
Enter : wbadmin get versions

LIST THE CONTENTS OF BACKUPS

Open the command prompt as administrator.
Enter: wbadmin get items -version:Versionidentifier

We can see that our backup includes the Active Directory application and the ntds component, which allows a granular restoration of objects.

As we made a backup of the system state, it is possible to restore the AD server completely via DSRM.

NTDS RESTORE

Open the command prompt as administrator.
Enter: wbadmin start recovery -version:03/22/2022-19:43 -itemtype:App -items:AD -recoverytarget:E:\Restore\

If we go to the restore folder, we can see that the ntds file is restored.

OPENING THE NTDS FILE

To read the ntds file we will mount it using the dsamain command.

Open the command prompt as administrator.
Enter: dsamain -dbpath "E:\Restore\Active Directory\ntds\ntds.dit" -ldapport 2000

The port is free, you just have to choose an unused one on the system to avoid possible conflicts.

Open "Active Directory Users and computers".
Select "Change domain controller".

Enter the restore information previously provided.

The file is now readable, but not directly restorable. On the other hand, it can make it possible to compare the evolution of accounts.

RESTORATION VIA EXPORT

In order to restore one or more accounts we will use the LDIFDE utility.

Open the command prompt as administrator.
Enter: ldifde -f E:\Restore\exportLEOLA.ldf -s localhost:2000 -r "CN=LEOLA_VALENTINE" -m

As with every restoration, we will make the account inactive before re-importing it.

Open the file "exportLEOLA.ldf".
Edit line "userAccountControl: ".
Assign value 514.
Open the command prompt as administrator.
Enter: ldifde -i -f E:\Restore\exportLEOLA.ldf

Now all that remains is to change the account password, because this type of restoration generates an account without a password.

BACKUP FUNCTIONALITY LIMITATIONS

Can be complicated to use in case of major restoration.
Does not save all object attributes.
Requires adding backup functionality.

ADVANTAGES OF THE BACKUP FEATURE

Allows the restoration of objects on the same AD or another (useful in the event of an incident).
Allows full AD recovery via DSRM mode.

PreviousPurpose NextSNAPSHOT

Last updated 7 months ago