Solved

Active directory integrated zone deletion, DNS

Posted on 2014-03-11
11
1,011 Views
Last Modified: 2014-05-17
We have our main AD integrated zone which disappeared last week. We recreated it and re-entered the records manually.

We tried a restore but it failed.

I found this link which may be plausible, can anyone explain why this would cause a zone to disappear?

http://tfs.letsblog.it/post/2010/05/05/How-to-recreate-an-accedently-deleted-AD-integrated-DNS-zone.aspx
0
Comment
Question by:llcooljsl1983
  • 7
  • 3
11 Comments
 
LVL 76

Expert Comment

by:arnold
ID: 39922525
The referenced link in the question is inaccessible.

Back to your question, is the DNS server where the zone disappeared running on a DC or a member server?
Do you have only one DNS server?

The issue with an AD integrated zone being inaccessible on a member server DNS deals with the permission/settings on the zone such that it is limited to DC based DNS services.
0
 

Author Comment

by:llcooljsl1983
ID: 39922721
Sorry the text is:
Also it was on a DC at the domain.co.uk level. All servers at the company.domain.co.uk level were unaffected.
 
Some time ago I had a serious problem at a costumer.
 
The customer had two AD domains in the same Forrest. One of them was running Windows Server 2008 R2 and the other Windows Server 2003 R2.
 
In the 2003 domain i went into the DNS console and changed the DNS zone replication from "To all DNS servers running on domain controllers in this domain" to "To all DNS servers running on domain controllers in this Forrest".
After a while I saw that the DNS zone for the domain on the 2003 server was missing....
I looked in the event log and found the following event:
 
Event ID 4005:
The DNS server received indication that zone domain.com was deleted from the Active Directory. Since this zone was an Active Directory integrated zone, it has been deleted from the DNS server.
 
I was in a state of panic for a few minutes until I found a way to recreate the missing DNS Zone:
 
The procedure was the following:
Created an empty AD integrated zone with the same name as the deleted zone.
Make a copy of the files netlogon.dnb and netlogon.dns in c:\windows\system32\config .
Copy the file netlogon.dnb over netlogon.dns .
Restart the netlogon service.
Now the DNS zone was recreated and the only thing left was to recreate the static A records. So nice!
 
Should it fail to recreate the zone you can read here how to restore an AD integrated DNS zone from a backup.
 
Thanks
Thomas
Tags: Active Directory | DNS
Permalink | Comments (0)
0
 
LVL 21

Expert Comment

by:dan_blagut
ID: 39922722
Hello

The ad integrated dns zone are replicated with AD information on all controllers that have DNS server role. When you modify that zone on one ad controller all modification are replicated to all controllers, deletion also.
So if you loging level is ok, you should find in the logs who deleted this zone.
If the error come from AD you can try this procedure
http://technet.microsoft.com/fr-fr/library/ff807395(v=ws.10).aspx
Dan
0
 

Author Comment

by:llcooljsl1983
ID: 39922727
The event logs just say it was deleted
0
 

Author Comment

by:llcooljsl1983
ID: 39923226
Any ideas?
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 76

Expert Comment

by:arnold
ID: 39924040
Once you add the _msdcs.yourdomain.com and yourdomain.com integrated zones, the data should be replicated back in.

It sounds as though your auditing policy did not include the level of detail you need.
Does your setup include user login records?
You could try using the login/logout records (on a DC event log security)

See which admin user loged in/out when this happened. But make sure to also look at a login/logout event that deals with resuming their existing session.
i.e. user A logged in a week ago and their session is currently disconnected.
User A resumes their session.  User B logs in. zone data is deleted. an hour or so later user B logggs out.  User A goes into a sleep/disconnect state or their system is setup such that the user is logged in, and only the screen saver is running (no password needed to gain access).

...

In this situation, you could check with the other admins without accusing any that the AD DNS zone has been deleted and you need their help in fixing it.

Do you usually have multiple DNS domains such that someone mistakenly deleted the wrong one?

In this case, check workorder, etc. to see who was assigned this task and who performed this task. Then see whether the requested domain is incorrectly pointing to your AD domain or is still in DNS ........
0
 

Author Comment

by:llcooljsl1983
ID: 39935007
Why would changing the DNS replication scope from forest to domain cause the zone to disappear from the root DNS servers?

Thanks
0
 

Author Comment

by:llcooljsl1983
ID: 39950063
Any ideas?
0
 
LVL 76

Expert Comment

by:arnold
ID: 39950824
It is not clear where it disapeared from.  Check the zone properties dealing with on which servers it is available.  If it is only available on Domain controllers, and your "Root DNS" is just a member, it will not have the security rights needed to access this AD integrated zone.

An AD integrated zone is stored in the AD.  All AD based DNS servers access the one copy in the AD, there are no duplicate copies on each DNS.  When a delete is issued, the data is deleted in the AD.
Once it is deleted, it is inaccessible by all.
0
 

Accepted Solution

by:
llcooljsl1983 earned 0 total points
ID: 40058614
We had a specialist come in who found that there were collisions within the ForestDNSZones ADSI section.
0
 

Author Closing Comment

by:llcooljsl1983
ID: 40071906
Unfortunately we had to call in a specialist to determine the cause.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

I wrote this article to explain some important DNS concepts that should be known to avoid some typical configuration errors I often see in forums. I assume that what is described here is the typical behavior of Microsoft DNS client. I don't know …
Over the years I have built up my own little library of code snippets that I refer to when programming or writing a script.  Many of these have come from the web or adaptations from snippets I find on the Web.  Periodically I add to them when I come…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now