Oops, our AD Integrated DNS zone’s are missing in Windows 2003!

I have had several cases where a customer has had their Active Directory-integrated DNS zones deleted, and the change replicated out to all their DNS servers before they caught the deletion. This can be a huge problem, but luckily with a system state backup we can recover this data easily.

The most important thing to know is if the zone that was deleted was a Forest or Domain integrated partition. This is important because the data for each of these is stored in a different Active Directory partition. Since we want to do an authoritative restore for only the DNS information we want, and not all objects in the system state, we will need to specify which partition to mark as authoritative after we restore the system state.

I recommend documenting all your DNS zone information so that you know how each zone is setup, and any know of any delegations assigned to the zone.

To restore your DNS partition:

Reboot the server in Directory Services Restore Mode by pressing F8 when booting and selecting that option from the menu. Then select Windows Server 2003.

While in Restore Mode, the machine will not replicate AD objects. This is important since we don’t want the system state information we restore to get immediately overwritten by replication from another domain controller.

Logon to the server locally.

Open the backup program.

Restore the system state to its original location. This will be a non-authoritative restore, so any newer objects in Active Directory will overwrite the restored objects. We will specify what to restore authoritatively later on.

Once the restore is complete, open a command prompt.

From the command prompt type the following:


Authoritative restore

Restore subtree “dc=DeletedZone.com,cn=MicrosoftDNS,dc=forestDNSZones,dc=contoso,dc=com”

(This would restore a Forest Integrated zone named Deletedzone.com in the Contoso.com domain. For a Domain integrated zone you would replace forestDNSZones with domainDNSZones )

You should get a message that the Authoritative Restore completed successfully.

After that you reboot the server into normal mode and replicate AD. This will add the zone back to all your DNS servers.

Here are some references on restore Active Directory objects:

http://technet2.microsoft.com/windowsserver/en/library/aec8cc76-c345-4cb6-83d9-b6009ba5d8801033.mspx?mfr=true Performing a Nonauthoritive Restore of a Domain Controller

http://technet2.microsoft.com/windowsserver/en/library/690730c7-83ce-4475-b9b4-46f76c9c7c901033.mspx?mfr=true Mark the object or objects authoritative