Active Directory: Have you backed up your Domain Name System (DNS) today?

Have you ever backed up your Domain Name System (DNS) records independent of the traditional system state backup of your domain controllers? No?  So, if you lose DNS you are doing a full Active Directory restore? Yep.  Oh, OK.

Um, why?  Isn’t that kind of extreme?  Let’s make this a little simpler, OK?

As Active Directory is one hundred percent dependent on the Domain Name System (DNS), it is critical that you back up your DNS servers on a regular basis. The most common method is to do a system state backup.  Although this technique does work, it is all-or-nothing. This means that if you are having DNS problems, what do you do?  You restore the system state which includes the Registry, Active Directory database, etc.  Additionally, there is not a file to review in case one IP and name combination is lost.  It is simply all or nothing.

How about a better way for those times when you don’t want to blow up the current domain?

Backing up an Active Directory integrated zone is just a little more complicated that the tradition DNS backup.  It is simple.  Do it.  It is worth it.  Really.

How?  These simple steps.  Export the zone and backup the export file.  Yep, that is it.  Use the command following to do it.

dnscmd /ZoneExport FQDN_of_zonename  backup\Zone_export_file

dnscmd /ZoneExport AD.lab  backup\AD.lab.dns.bak

dnscmd WS12-DC01 /ZoneExport AD.lab  backup\AD.lab.dns.bak

The first line is the syntax.  The next command will export the zone for AD.lab on the local server to a file called AD.lab.dns.bak in the %SystemRoot%\System32\Dns\Backup folder. The second command exports the same zone from the DNS server WS12-DC01 to a file named AD.lab.dns.bak in the %SystemRoot%\System32\Dns\Backup folder on the server named WS12-DC01. Be aware though that the backup command will not over-write any previous backup of the same name.

Oh, you want to know how to restore?  Well, it will restore you whole DNS for that zone so be careful.  Traditionally you do this after the zone is gone. Check the tech tip for the steps for a basic restore.

Well, first off validate that you have a current system state backup and a backup of the zone.  The system state is in case of corruption.  Remember, your backup procedures should include testing any processes in the lab before doing so in live production.  Now delete the current corrupt zone.  Now restore the zone.

Now we go through these commands.

XCOPY %SystemRoot%\System32\Dns\Backup\AD.lab.dns.bak %SystemRoot%\System32\Dns\AD.lab.dns.bak

DNSCMD /zoneadd AD.lab  /primary /file AD.lab.dns.bak /load

DNSCMD /zoneresettype AD.lab  /dsprimary

DNSCMD /config AD.lab /allowupdate 2

The first command loads the zone as a primary zone.  The second converts the zone to Active Directory integrated DNS.  The last enables secure updates.  Oh, and you are now done.  If you had specialized security… time to rebuild that as well.  if you need it.

Hard?  Nope.  How about you backup the DNS in your domain now?  It just takes a minute to export it.  So let’s export and backup your DNS.  One more step to towards working towards the new modeus operendi: just say no to “blowing up” your Active Directory.

Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.