Backup and Restore DNS zones

With DNS, backing up primary and secondary zones independent of the system state is a pretty simple process. You can use the xcopy command to back up all zone text files on a DNS server. This command would back up the contents of the default DNS folder to the "D:\backups\dns" folder:

xcopy %systemroot%\system32\dns d:\backups\dns /y
Unfortunately, the process isn’t as simple for Active Directory-integrated DNS zones. For these zones, the support tool dnscmd.exe can get the job done. To back up any DNS zone with dnscmd.exe, you just need to use the /zoneexport switch with the command. To back up the MCPmag.com zone locally on a DNS server, you'd run:

dnscmd /zoneexport mcpmag.com backup\mcpmag.com.dns.bak
This command writes a copy of the mcpmag.com zone to the %systemroot%\system32\dns\backup\mcpmag.com.dns.bak file. Note that the command doesn't overwrite existing files, so if you’re including it with a backup script, be sure to move the file to an alternate location after the export completes, or to rename or delete the current backup file before you run a new dnscmd /zoneexport job.

If you need to re-create a new zone from the export file, you’ll find that you can do this by using dnscmd.exe with the /zoneadd switch. The only catch with this approach is that if you’re looking to recover an AD-integrated zone, you need to add the zone as a primary first and then convert it to AD-integrated. For example, to recover my mcpmag.com zone, I'd run:

dnscmd /zoneadd mcpmag.com /primary /file mcpmag.com.dns.bak /load
Here, note that the backup file needs to reside in the %systemroot%\system32\dns folder for it to be properly discovered. Use the /load switch to tell the command to load the configuration from the existing file. Without it, the command will create a new zone data file that will overwrite the contents of the backup file.

After adding the zone to the DNS server, you can convert it to an AD-integrated zone by running:

dnscmd /zoneresettype mcpmag.com /dsprimary
At this point, you can then enable secure dynamic updates for the zone by running:

dnscmd /config mcpmag.com /allowupdate 2
This command configures the zone to accept only secure dynamic updates, as specified by the allowupdate value of 2 (use 0 to specify No dynamic updates, 1 for nonsecure and secure dynamic updates).

Comments

Popular posts from this blog

vRA/vRO workflows

How to generate HPS Report for Windows