Accidentally deleting Windows AD-Integrated forward lookup zones in Windows Server 2016

RC
RC used Ask the Experts™
on
Someone accidentally deleted our Windows Server 2016 AD-Integrated forward lookup zones using a third party tool. What would be the easiest way to recover the DNS zones? We do have the ability to restore the any of the domain controllers in its entirety, but we will have to accommodate for an Authoritative restore which it doesn't seems to be a straight forward process.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2017

Commented:
Restore an ad DC in an isolated lab.
Are you talking about the DNS entries for _msdcs ..
See if you can add back the forward zone as an ad integrated
Distinguished Expert 2017

Commented:
RCSystem Engineer

Author

Commented:
There are two primary Forward Lookup Zones. The _msdcs is one of them. The zones are AD-Integrated. One thing I forgot to mention is that the AD recycle BIN is not option in our case because the Forest and Domain Functional Level is set to Windows Server 2008. I can restore it to an isolated environment if needed, but ideally if there is a need to do a restore, I would prefer to do an Authoritative restore using one of our full backups copies.
Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

RCSystem Engineer

Author

Commented:
I already tried to recreate the zone using the steps below, but not dice. I was able to get some of the DNS records but I am missing about 60% of them. I'm guessing that an authoritative restore , is our best option, but I'm trying to see how I can leverage our Full back restore to accomplish that.

MANUALLY RECREATE THE DELETED ZONES
IPCONFIG /FLUSHDNS
IPCONFIG /REGISTERDNS
DCDIAG /FIX
NET STOP NETLOGON
NET START NETLOGON
Distinguished Expert 2017

Commented:
Many entries in _msdcs are regenerated by ntds, sites and services.
The risk with the authoritative restore is you will be rolling back password changes if any that occurred since the backup.

Forward ad domai.n entries for server records, can be added manually.

Is the pre restore and at 40% is the AD is functional?

Before doing an authoritative install, you should be certain in what would happen.
You're in a difficult predicament.
MASEE Solution Guide - Technical Dept Head
Most Valuable Expert 2017

Commented:
If the AD is functional you please wait all the missing records will come back.
only thing is you have to create zone and restart the server.
RCSystem Engineer

Author

Commented:
Yes, AD is functional and recreating the Zone and restating the server or the services helped bring back many of the records. However,  I was considering performing an authoritative restore using a one day old backup, but I couldn't find a good documentation on how to safely execute that procedure in a Windows Server 2016 AD environment ( The functional level is still set to Windows Server 2008, but this will change soon).
MASEE Solution Guide - Technical Dept Head
Most Valuable Expert 2017
Commented:
I suggest not to restore.As commented by Arnold you are going back to a previous state.
If you have a full VM backup then restore the VM if you are keen on restore if this is a virtual environment..
Distinguished Expert 2017

Commented:
OH, make sure to take the rights from the user who ran the third party tool
DNS server records should be scavenged by the DNS server's process not an external...
RCSystem Engineer

Author

Commented:
I totally get your guys' point on trying to avoid the restore  which is why I posted the question in the first place. I didn't want to do it without thinking it through and weighting all of my options. Now, I'm questioning why we are running full backups on our domain controllers :). There is one more thing about this question I would like your insight on. In case , there is ever a need to perform an authoritative restore, can you please check my steps on doing so below?

1. Perform a full DC (VM) restore
2. Reboot the DC reboots for the second time, open the booting wizard (press F8), select Directory Services Restore Mode (DSRM) mode and then sign in to a system using DSRM credentials
3. Open a command line and run ntdsutil
4. Use the following commands: activate instance ntds; then authoritative restore; then restore object “distinguishedName” or restore subtree “distinguishedName”
Example: restore subtree “OU=Branch,DC=dc,DC=lab, DC=local.
5.Confirm the authoritative restore and reboot server upon completion.
Distinguished Expert 2017

Commented:
Authoritative restor is needed when the AD is corrupted, hijacked. A massive object loss. Which is why in newer version the addition of a "temp deleted object"..
Restoring backup of systemstate which is where the AD data is....

In your case a DNS zone/s that were impacted ..
RCSystem Engineer

Author

Commented:
Yes, that makes sense. I just have to review our backup strategy for domain controllers. Do you know the steps on how to perform an Authoritative restore or can help me verify the ones I have outlined before?
Distinguished Expert 2017
Commented:
Much depends from what stage/scenario. Often a restore of a DC is not advisable.
With the only restore from backup deals with restoring in a single DC environment.
Even in a hardware failure in a physical rebuilding
..
RCSystem Engineer

Author

Commented:
Yes, I can see the point about only restoring from backups on a single DC environments. In a multi-domain controller environment using an AD-Integrated configuration the restore process is much more complex depending on what type of data you are trying to restore. Seems like we just need to backup the DC(s) holding the FSMO roles as part of our disaster recovery strategy. I guess the other ones don't need to be backed up. I guess I can focus my efforts on trying to come up with the best strategy to recovery particular AD-objects. I know I'll be enabling the AD Recycle BIN features to help me better deal with unwanted deletions. This is probably why Microsoft added that feature.
System Engineer
Commented:
Decided solution verified by Arnold and MAS

MANUALLY RECREATE THE DELETED ZONES
IPCONFIG /FLUSHDNS
IPCONFIG /REGISTERDNS
DCDIAG /FIX
NET STOP NETLOGON
NET START NETLOGON
OR
Simply Reboot your Domain Controllers
MASEE Solution Guide - Technical Dept Head
Most Valuable Expert 2017

Commented:
Appreciate if you mark expert's comment as solution which helped you (not only your comment as solution).
MaheshArchitect
Distinguished Expert 2018
Commented:
You have selected your own comment as solution, select experts comments who have helped you

BTW, recreation of zones followed by restarting netlogon service will get domain controllers record back as per records existed in netlogon.dns file
However it won't restore other servers and computers host records and also don't restore if you have created any custom sub domain folders under zone

For host records u need to wait clients or dhcp to register those records based on your configuration

The ideal scenario would be restart any one server (pdc most probably) in DSRM and restore ad system state non authoritatively and depending upon where your zone stored, restore only that part authoritatively
Ex.  _msdcs.domain.com zone always stored under dc=forestdnszones, dc=domain,dc=com

And domain.com stored under domaindnszones partition

These both are application directories

If by chance your domain.com zone  stored under Microsoftdns folder under system folder under active directory domain root, u need to restore that folder

Zone get stored in that partition if zone replication scope is defined as windows 2000 domain controllers compatibility
RCSystem Engineer

Author

Commented:
Thank you all for your help

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial