Backup & Restore Active Directory integrated DNS zones

DNS is one of the core components for Active Directory Domain Services. In a disaster scenario, it becomes impossible to locate resources within the network and all AD operations come to a screeching halt. Therefore, it’s absolutely necessary to restore the DNS servers. One way to set this right is by performing an AD DS authoritative restore by using Microsoft’s preferred method for backing up a DNS server by performing a system state backup. That process is a time-consuming and a complex process in which the domain controllers must be restarted for the changes to take effect also you will also end up restoring the Registry, Active Directory database and a number of other components. Eventually, it leads to increased downtime, which impacts productivity.

Luckily, it’s possible to back up a DNS server independently using PowerShell.

Backup:

For AD integrated zones, the support tool dnscmd.exe can get the job done. To back up any DNS zone with dnscmd.exe, you just need to use the /zoneexport switch with the command. To back up the Zone1.com zone locally on a DNS server, you’d run the below command on the DNS server:

where DC1 is DNS server name, This command writes a copy of the Zone1.com zone to the %systemroot%\system32\dns\backup\Zone1.com.dns.bak file.

Note that the command doesn’t overwrite existing files, so if you’re including it with a backup script, be sure to move the file to an alternate location after the export completes, or to rename or delete the current backup file before you run a new dnscmd /zoneexport job.

PowerShell Script to backup DNS:

Restore:

Make sure the zone does not exist on DNS manager as it will give an error. If you need to re-create a new zone from the export file, you’ll find that you can do this by using dnscmd.exe with the /zoneadd switch. The only catch with this approach is that if you’re looking to recover an AD-integrated zone, you need to add the zone as a primary first and then convert it to AD-integrated. For example, to recover my Zone1.com zone:

Note that the backup file needs to reside in the %systemroot%\system32\dns folder for it to be properly discovered.

The /load switch to tell the command to load the configuration from the existing file. Without it, the command will create a new zone data file that will overwrite the contents of the backup file.

After adding the zone to the DNS server, you can convert it to an AD-integrated zone by running:

At this point, you can then enable secure dynamic updates for the zone by running:

This command configures the zone to accept only secure dynamic updates, as specified by the allowupdate value of 2 (use 0 to specify No dynamic updates, 1 for nonsecure and secure dynamic updates).

PowerShell Script to restore DNS:

Note that this script will work to “recreate” a DNS zone. If the zone you are trying to restore is still present on the DNS Server, the dnscmd.exe utility will return a warning information telling you that the zone already exists. You might need to delete the zones before restoring them.