RC
asked on
Accidentally deleting Windows AD-Integrated forward lookup zones in Windows Server 2016
Someone accidentally deleted our Windows Server 2016 AD-Integrated forward lookup zones using a third party tool. What would be the easiest way to recover the DNS zones? We do have the ability to restore the any of the domain controllers in its entirety, but we will have to accommodate for an Authoritative restore which it doesn't seems to be a straight forward process.
See if you can see the records within the ad recycle to restore back.
https://blogs.technet.microsoft.com/canitpro/2014/07/28/step-by-step-restoring-a-deleted-object-via-active-directory-recycle-bin/
https://blogs.technet.microsoft.com/canitpro/2014/07/28/step-by-step-restoring-a-deleted-object-via-active-directory-recycle-bin/
ASKER
There are two primary Forward Lookup Zones. The _msdcs is one of them. The zones are AD-Integrated. One thing I forgot to mention is that the AD recycle BIN is not option in our case because the Forest and Domain Functional Level is set to Windows Server 2008. I can restore it to an isolated environment if needed, but ideally if there is a need to do a restore, I would prefer to do an Authoritative restore using one of our full backups copies.
ASKER
I already tried to recreate the zone using the steps below, but not dice. I was able to get some of the DNS records but I am missing about 60% of them. I'm guessing that an authoritative restore , is our best option, but I'm trying to see how I can leverage our Full back restore to accomplish that.
MANUALLY RECREATE THE DELETED ZONES
IPCONFIG /FLUSHDNS
IPCONFIG /REGISTERDNS
DCDIAG /FIX
NET STOP NETLOGON
NET START NETLOGON
MANUALLY RECREATE THE DELETED ZONES
IPCONFIG /FLUSHDNS
IPCONFIG /REGISTERDNS
DCDIAG /FIX
NET STOP NETLOGON
NET START NETLOGON
Many entries in _msdcs are regenerated by ntds, sites and services.
The risk with the authoritative restore is you will be rolling back password changes if any that occurred since the backup.
Forward ad domai.n entries for server records, can be added manually.
Is the pre restore and at 40% is the AD is functional?
Before doing an authoritative install, you should be certain in what would happen.
You're in a difficult predicament.
The risk with the authoritative restore is you will be rolling back password changes if any that occurred since the backup.
Forward ad domai.n entries for server records, can be added manually.
Is the pre restore and at 40% is the AD is functional?
Before doing an authoritative install, you should be certain in what would happen.
You're in a difficult predicament.
If the AD is functional you please wait all the missing records will come back.
only thing is you have to create zone and restart the server.
only thing is you have to create zone and restart the server.
ASKER
Yes, AD is functional and recreating the Zone and restating the server or the services helped bring back many of the records. However, I was considering performing an authoritative restore using a one day old backup, but I couldn't find a good documentation on how to safely execute that procedure in a Windows Server 2016 AD environment ( The functional level is still set to Windows Server 2008, but this will change soon).
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
OH, make sure to take the rights from the user who ran the third party tool
DNS server records should be scavenged by the DNS server's process not an external...
DNS server records should be scavenged by the DNS server's process not an external...
ASKER
I totally get your guys' point on trying to avoid the restore which is why I posted the question in the first place. I didn't want to do it without thinking it through and weighting all of my options. Now, I'm questioning why we are running full backups on our domain controllers :). There is one more thing about this question I would like your insight on. In case , there is ever a need to perform an authoritative restore, can you please check my steps on doing so below?
1. Perform a full DC (VM) restore
2. Reboot the DC reboots for the second time, open the booting wizard (press F8), select Directory Services Restore Mode (DSRM) mode and then sign in to a system using DSRM credentials
3. Open a command line and run ntdsutil
4. Use the following commands: activate instance ntds; then authoritative restore; then restore object “distinguishedName” or res tore subtree “distinguishedName”
Example: restore subtree “OU=Branch,DC=dc,DC=lab, DC=local.
5.Confirm the authoritative restore and reboot server upon completion.
1. Perform a full DC (VM) restore
2. Reboot the DC reboots for the second time, open the booting wizard (press F8), select Directory Services Restore Mode (DSRM) mode and then sign in to a system using DSRM credentials
3. Open a command line and run ntdsutil
4. Use the following commands: activate instance ntds; then authoritative restore; then restore object “distinguishedName” or res
Example: restore subtree “OU=Branch,DC=dc,DC=lab, DC=local.
5.Confirm the authoritative restore and reboot server upon completion.
Authoritative restor is needed when the AD is corrupted, hijacked. A massive object loss. Which is why in newer version the addition of a "temp deleted object"..
Restoring backup of systemstate which is where the AD data is....
In your case a DNS zone/s that were impacted ..
Restoring backup of systemstate which is where the AD data is....
In your case a DNS zone/s that were impacted ..
ASKER
Yes, that makes sense. I just have to review our backup strategy for domain controllers. Do you know the steps on how to perform an Authoritative restore or can help me verify the ones I have outlined before?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes, I can see the point about only restoring from backups on a single DC environments. In a multi-domain controller environment using an AD-Integrated configuration the restore process is much more complex depending on what type of data you are trying to restore. Seems like we just need to backup the DC(s) holding the FSMO roles as part of our disaster recovery strategy. I guess the other ones don't need to be backed up. I guess I can focus my efforts on trying to come up with the best strategy to recovery particular AD-objects. I know I'll be enabling the AD Recycle BIN features to help me better deal with unwanted deletions. This is probably why Microsoft added that feature.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you all for your help
Are you talking about the DNS entries for _msdcs ..
See if you can add back the forward zone as an ad integrated