Dsdbutil is a command-line tool that is built into Windows Server. It is available if you have the AD LDS server role installed. Can be used as a command line utility to export Active Directory.
-
dsdbutil supports VSS snapshot creation
dsdbutil.exe "activate instance ntds" "snapshot" "create" "quit" "quit"
- Use case
- Snapshoting of Active Directory NTDS.dit database
- Privileges required
- Administrator
- Operating systems
- Windows Server 2012, Windows Server 2016, Windows Server 2019
- ATT&CK® technique
- T1003.003
-
Mounting the snapshot with its GUID
dsdbutil.exe "activate instance ntds" "snapshot" "mount {GUID}" "quit" "quit"
- Use case
- Mounting the snapshot to access the ntds.dit with copy c:\[Snap Volume]\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak
- Privileges required
- Administrator
- Operating systems
- Windows Server 2012, Windows Server 2016, Windows Server 2019
- ATT&CK® technique
- T1003.003
-
Deletes the mount of the snapshot
dsdbutil.exe "activate instance ntds" "snapshot" "delete {GUID}" "quit" "quit"
- Use case
- Deletes the snapshot
- Privileges required
- Administrator
- Operating systems
- Windows Server 2012, Windows Server 2016, Windows Server 2019
- ATT&CK® technique
- T1003.003
-
Mounting with snapshot identifier
dsdbutil.exe "activate instance ntds" "snapshot" "create" "list all" "mount 1" "quit" "quit"
- Use case
- Mounting the snapshot identifier 1 and accessing it with with copy c:\[Snap Volume]\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak
- Privileges required
- Administrator
- Operating systems
- Windows Server 2012, Windows Server 2016, Windows Server 2019
- ATT&CK® technique
- T1003.003
-
Deletes the mount of the snapshot
dsdbutil.exe "activate instance ntds" "snapshot" "list all" "delete 1" "quit" "quit"
- Use case
- deletes the snapshot
- Privileges required
- Administrator
- Operating systems
- Windows Server 2012, Windows Server 2016, Windows Server 2019
- ATT&CK® technique
- T1003.003