Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Active directory integrated zone deletion, DNS

Posted on 2014-03-11
11
Medium Priority
?
1,159 Views
Last Modified: 2014-05-17
We have our main AD integrated zone which disappeared last week. We recreated it and re-entered the records manually.

We tried a restore but it failed.

I found this link which may be plausible, can anyone explain why this would cause a zone to disappear?

http://tfs.letsblog.it/post/2010/05/05/How-to-recreate-an-accedently-deleted-AD-integrated-DNS-zone.aspx
0
Comment
Question by:llcooljsl1983
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 3
11 Comments
 
LVL 79

Expert Comment

by:arnold
ID: 39922525
The referenced link in the question is inaccessible.

Back to your question, is the DNS server where the zone disappeared running on a DC or a member server?
Do you have only one DNS server?

The issue with an AD integrated zone being inaccessible on a member server DNS deals with the permission/settings on the zone such that it is limited to DC based DNS services.
0
 

Author Comment

by:llcooljsl1983
ID: 39922721
Sorry the text is:
Also it was on a DC at the domain.co.uk level. All servers at the company.domain.co.uk level were unaffected.
 
Some time ago I had a serious problem at a costumer.
 
The customer had two AD domains in the same Forrest. One of them was running Windows Server 2008 R2 and the other Windows Server 2003 R2.
 
In the 2003 domain i went into the DNS console and changed the DNS zone replication from "To all DNS servers running on domain controllers in this domain" to "To all DNS servers running on domain controllers in this Forrest".
After a while I saw that the DNS zone for the domain on the 2003 server was missing....
I looked in the event log and found the following event:
 
Event ID 4005:
The DNS server received indication that zone domain.com was deleted from the Active Directory. Since this zone was an Active Directory integrated zone, it has been deleted from the DNS server.
 
I was in a state of panic for a few minutes until I found a way to recreate the missing DNS Zone:
 
The procedure was the following:
Created an empty AD integrated zone with the same name as the deleted zone.
Make a copy of the files netlogon.dnb and netlogon.dns in c:\windows\system32\config .
Copy the file netlogon.dnb over netlogon.dns .
Restart the netlogon service.
Now the DNS zone was recreated and the only thing left was to recreate the static A records. So nice!
 
Should it fail to recreate the zone you can read here how to restore an AD integrated DNS zone from a backup.
 
Thanks
Thomas
Tags: Active Directory | DNS
Permalink | Comments (0)
0
 
LVL 22

Expert Comment

by:dan_blagut
ID: 39922722
Hello

The ad integrated dns zone are replicated with AD information on all controllers that have DNS server role. When you modify that zone on one ad controller all modification are replicated to all controllers, deletion also.
So if you loging level is ok, you should find in the logs who deleted this zone.
If the error come from AD you can try this procedure
http://technet.microsoft.com/fr-fr/library/ff807395(v=ws.10).aspx
Dan
0
Fill in the form and get your FREE NFR key NOW!

Veeam® is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

 

Author Comment

by:llcooljsl1983
ID: 39922727
The event logs just say it was deleted
0
 

Author Comment

by:llcooljsl1983
ID: 39923226
Any ideas?
0
 
LVL 79

Expert Comment

by:arnold
ID: 39924040
Once you add the _msdcs.yourdomain.com and yourdomain.com integrated zones, the data should be replicated back in.

It sounds as though your auditing policy did not include the level of detail you need.
Does your setup include user login records?
You could try using the login/logout records (on a DC event log security)

See which admin user loged in/out when this happened. But make sure to also look at a login/logout event that deals with resuming their existing session.
i.e. user A logged in a week ago and their session is currently disconnected.
User A resumes their session.  User B logs in. zone data is deleted. an hour or so later user B logggs out.  User A goes into a sleep/disconnect state or their system is setup such that the user is logged in, and only the screen saver is running (no password needed to gain access).

...

In this situation, you could check with the other admins without accusing any that the AD DNS zone has been deleted and you need their help in fixing it.

Do you usually have multiple DNS domains such that someone mistakenly deleted the wrong one?

In this case, check workorder, etc. to see who was assigned this task and who performed this task. Then see whether the requested domain is incorrectly pointing to your AD domain or is still in DNS ........
0
 

Author Comment

by:llcooljsl1983
ID: 39935007
Why would changing the DNS replication scope from forest to domain cause the zone to disappear from the root DNS servers?

Thanks
0
 

Author Comment

by:llcooljsl1983
ID: 39950063
Any ideas?
0
 
LVL 79

Expert Comment

by:arnold
ID: 39950824
It is not clear where it disapeared from.  Check the zone properties dealing with on which servers it is available.  If it is only available on Domain controllers, and your "Root DNS" is just a member, it will not have the security rights needed to access this AD integrated zone.

An AD integrated zone is stored in the AD.  All AD based DNS servers access the one copy in the AD, there are no duplicate copies on each DNS.  When a delete is issued, the data is deleted in the AD.
Once it is deleted, it is inaccessible by all.
0
 

Accepted Solution

by:
llcooljsl1983 earned 0 total points
ID: 40058614
We had a specialist come in who found that there were collisions within the ForestDNSZones ADSI section.
0
 

Author Closing Comment

by:llcooljsl1983
ID: 40071906
Unfortunately we had to call in a specialist to determine the cause.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question