How to prevent accidental DNS Zone deletions in Windows Server

My name is Ajay Sarkaria and I am a Supportability Program Manager at Microsoft. We have been seeing support volumes where administrators while performing daily tasks may accidentally delete a DNS Zone which is being used in production.

This post comes with inputs from our friends in Microsoft PFE team Brent Whitlow; Bryan Zink; Michael Hildebrand & Eric Jansen

Note: After you follow the below steps, you will not be able to delete or change the scope of replication for the DNS Zone unless you first unprotect the zone from accidental deletion.

Example screenshot if trying to delete from Active Directory Users and Computers:

DNS_Zone_Deletion1

“You do not have sufficient permissions to delete DNZ_Zone_Name, or this object is protected from accidental deletion”

OR

Example screenshot if trying to delete from the DNS Manager:

DNS_Zone_Deletion2

The zone cannot be deleted.
Access was denied

If you try to change the scope of replication with the protection enabled, you will see a message similar to the below:

DNS_Zone_Deletion3

The replication scope could not be set. For more information, see “DNS zone replication in Active Directory” in Help and Support. The error was:

Access was denied.

 

Now, am going to highlight steps which an administrator can perform to prevent such accidental deletions in the first place. If you remember, Active Directory has a great feature which prevents accidental deletions of Organizational Units by checking a flag. We are going to discuss something similar to prevent accidental DNS Zone deletions.

Important: As with any changes, you should always exercise caution and test things out in a lab BEFORE implementing any changes to your production environment.

Ensuring you have a LAB setup to test the changes first, let’s configure the DNS Zones from accidental deletions. There are a couple of way to prevent accidental DNS zone deletions

DNS Zones stored in the Domain Partition:

Doing it from the Active Directory Users & Computers MMC:

  1. Check the flag of “Protect object from accidental deletion” by browsing to Active Directory Users and Computers \ Domain Name \ System \ Microsoft DNS \ DNS Zone name
  2. Right click and select properties
  3. Select the Object TabDNS_Zone_Deletion4Note: The above flag will only be visible in Active Directory Users and Computers if you have stored the DNS Zone in the Domain Partition. You can check where your DNS Zone is stored in DNS Management UI. As an example, the below screenshot shows the replication scope set as “All domain controllers in this domain (for Windows 2000 compatibility)”DNS_Zone_Deletion5

PowerShell:

  • Enumerate all DNS Zones not protected from deletion in the Domain partition:

    Get-ADObject -Filter ‘ObjectClass -like “dnszone”‘ -SearchScope Subtree -SearchBase “CN=MicrosoftDNS,CN=System,DC=domain,DC=lab” -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Select name,protectedfromaccidentaldeletion | out-gridview

  • Set the protect from accidental deletion flag:

    Get-ADObject -Filter ‘ObjectClass -like “dnszone”‘ -SearchScope Subtree -SearchBase “CN=MicrosoftDNS,CN=System,DC=domain,DC=lab ” -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Set-ADObject –ProtectedFromAccidentalDeletion $true

  • DNS Zones stored in Domain wide application partitions:
    • Enumerate all DNS Zones not protected from deletion in the domain application partition:

      Get-ADObject -Filter ‘ObjectClass -like “dnszone”‘ -SearchScope Subtree -SearchBase “DC=DomainDnsZones,DC=domain,DC=lab” -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Select name,protectedfromaccidentaldeletion | out-gridview

    • Set the protect from accidental deletion flag:

      Get-ADObject -Filter ‘ObjectClass -like “dnszone”‘ -SearchScope Subtree -SearchBase “DC=DomainDnsZones,DC=domain,DC=lab” -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Set-ADObject –ProtectedFromAccidentalDeletion $true

  • DNS Zones stored in Forest wide application partitions:
    • Enumerate all DNS Zones not protected from deletion in the Forest Wide application partition:

      Get-ADObject -Filter ‘ObjectClass -like “dnszone”‘ -SearchScope Subtree -SearchBase “DC=ForestDnsZones,DC=domain,DC=lab” -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Select name,protectedfromaccidentaldeletion | out-gridview

    • Set the protect from accidental deletion flag:

      Get-ADObject -Filter ‘ObjectClass -like “dnszone”‘ -SearchScope Subtree -SearchBase “DC=ForestDnsZones,DC=domain,DC=lab” -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $False} | Set-ADObject –ProtectedFromAccidentalDeletion $true

  • Check the protect from accidental deletion flag:
    • Forest wide application partition:

      Get-ADObject -Filter ‘ObjectClass -like “dnszone”‘ -SearchScope Subtree -SearchBase “DC=ForestDnsZones,DC=domain,DC=lab” -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $True} | Select name,protectedfromaccidentaldeletion | out-gridview

    • Domain wide application partition:

      Get-ADObject -Filter ‘ObjectClass -like “dnszone”‘ -SearchScope Subtree -SearchBase “DC=DomainDnsZones,DC=domain,DC=lab” -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $True} | Select name,protectedfromaccidentaldeletion | out-gridview

    • Domain Partition:

      Get-ADObject -Filter ‘ObjectClass -like “dnszone”‘ -SearchScope Subtree -SearchBase “CN=MicrosoftDNS,CN=System,DC=domain,DC=lab ” -properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $True} | Select name,protectedfromaccidentaldeletion | out-gridview