Accidentally deleting Windows AD-Integrated forward lookup zones in Windows Server 2016

Restore an ad DC in an isolated lab.
Are you talking about the DNS entries for _msdcs ..
See if you can add back the forward zone as an ad integrated

See if you can see the records within the ad recycle to restore back.
https://blogs.technet.microsoft.com/canitpro/2014/07/28/step-by-step-restoring-a-deleted-object-via-active-directory-recycle-bin/

There are two primary Forward Lookup Zones. The _msdcs is one of them. The zones are AD-Integrated. One thing I forgot to mention is that the AD recycle BIN is not option in our case because the Forest and Domain Functional Level is set to Windows Server 2008. I can restore it to an isolated environment if needed, but ideally if there is a need to do a restore, I would prefer to do an Authoritative restore using one of our full backups copies.

I already tried to recreate the zone using the steps below, but not dice. I was able to get some of the DNS records but I am missing about 60% of them. I'm guessing that an authoritative restore , is our best option, but I'm trying to see how I can leverage our Full back restore to accomplish that.

MANUALLY RECREATE THE DELETED ZONES
IPCONFIG /FLUSHDNS
IPCONFIG /REGISTERDNS
DCDIAG /FIX
NET STOP NETLOGON
NET START NETLOGON

Many entries in _msdcs are regenerated by ntds, sites and services.
The risk with the authoritative restore is you will be rolling back password changes if any that occurred since the backup.

Forward ad domai.n entries for server records, can be added manually.

Is the pre restore and at 40% is the AD is functional?

Before doing an authoritative install, you should be certain in what would happen.
You're in a difficult predicament.

If the AD is functional you please wait all the missing records will come back.
only thing is you have to create zone and restart the server.

Yes, AD is functional and recreating the Zone and restating the server or the services helped bring back many of the records. However,  I was considering performing an authoritative restore using a one day old backup, but I couldn't find a good documentation on how to safely execute that procedure in a Windows Server 2016 AD environment ( The functional level is still set to Windows Server 2008, but this will change soon).

OH, make sure to take the rights from the user who ran the third party tool
DNS server records should be scavenged by the DNS server's process not an external...

I totally get your guys' point on trying to avoid the restore  which is why I posted the question in the first place. I didn't want to do it without thinking it through and weighting all of my options. Now, I'm questioning why we are running full backups on our domain controllers :). There is one more thing about this question I would like your insight on. In case , there is ever a need to perform an authoritative restore, can you please check my steps on doing so below?

1. Perform a full DC (VM) restore
2. Reboot the DC reboots for the second time, open the booting wizard (press F8), select Directory Services Restore Mode (DSRM) mode and then sign in to a system using DSRM credentials
3. Open a command line and run ntdsutil
4. Use the following commands: activate instance ntds; then authoritative restore; then restore object “distinguishedName” or restore subtree “distinguishedName”
Example: restore subtree “OU=Branch,DC=dc,DC=lab, DC=local.
5.Confirm the authoritative restore and reboot server upon completion.

Authoritative restor is needed when the AD is corrupted, hijacked. A massive object loss. Which is why in newer version the addition of a "temp deleted object"..
Restoring backup of systemstate which is where the AD data is....

In your case a DNS zone/s that were impacted ..

Yes, that makes sense. I just have to review our backup strategy for domain controllers. Do you know the steps on how to perform an Authoritative restore or can help me verify the ones I have outlined before?

Yes, I can see the point about only restoring from backups on a single DC environments. In a multi-domain controller environment using an AD-Integrated configuration the restore process is much more complex depending on what type of data you are trying to restore. Seems like we just need to backup the DC(s) holding the FSMO roles as part of our disaster recovery strategy. I guess the other ones don't need to be backed up. I guess I can focus my efforts on trying to come up with the best strategy to recovery particular AD-objects. I know I'll be enabling the AD Recycle BIN features to help me better deal with unwanted deletions. This is probably why Microsoft added that feature.

Thank you all for your help