It's a good idea to first list any existing shadow copies with vssadmin List Shadows. Sometimes, shadow copies are being created regularly and having a recent snapshot means you can jump ahead to copying out the database and hive. This makes stealth slightly easier. Assuming none exist (or they're old), run the CMD prompt as an Administrator and create a shadow copy for the C: drive:

> vssadmin Create Shadow /For=C:

You'll see the following confirmation:

Make a note of the shadow copy volume name, as you'll need to refer to it during the copy operation. You'll just use good ol'-fashioned copy for this, substituting what you'd normally call C: with \?GLOBALROOTDeviceHarddiskVolumeShadowCopy1. The NTDS database is stored in the NTDS directory under Windows, and you'll find SYSTEM inside the system32config folder. You can place the files wherever you want; it's a temporary location as you prepare to exfiltrate them. You should consider how you'll be getting them off the domain controller, though. For example, if there's a shared folder that you can access across the network, that'll be an ideal spot to place them:

> copy \?GLOBALROOTDeviceHarddiskVolumeShadowCopy1WindowsNTDSNTDS.dit c:
> copy \?GLOBALROOTDeviceHarddiskVolumeShadowCopy1Windowssystem32configSYSTEM c:

Again, here's the confirmation: