Strategy for DNS server backup in an AD environment

If you are an Active direc­tory admin, there is no need to men­tion the impor­tance of DNS. A DNS sever is poten­tially the sin­gle point of fail­ure in an AD envi­ron­ment… where an inter­rup­tion of its ser­vice or cor­rup­tion of any DNS records can bring the whole ser­vice down. This demands the need for a proper backup strat­egy for DNS servers.
Most pre­ferred method for tak­ing back up of DNS server is to do a sys­tem state backup. But this can­not be use­ful in many cases as it requires you to restore AD, Reg­istry set­tings, DNS etc. while busi­ness require­ment only needs you to restore the DNS server.
Also there may be cases where the sys­tem state restore cat­a­log may be cor­rupted and you could not restore it. Per­son­ally, I have faced sit­u­a­tions where the clients are com­plain­ing about cor­rupt sys­tem state back­ups where the users are not able to restore the DNS data using it. So it is always best to keep an inde­pen­dent backup of DNS server along with your nor­mal sys­tem state backup.
Before men­tion­ing how these inde­pen­dent back­ups can be taken for DNS servers, it’s worth men­tion­ing about dif­fer­ent AD zones in an AD environment.

• Pri­mary and Sec­ondary zones.
• Active direc­tory inte­grated zone.

Microsoft rec­om­mends using Active direc­tory inte­grated zone in DNS servers on an AD envi­ron­ment.
Now let’s check how inde­pen­dent back­ups can be taken on DNS server.

Pri­mary and sec­ondary zones:

Here the zone infor­ma­tion will be stored in plain text files. The backup and restore process is pretty straight for­ward where you can take a copy of text file con­tain­ing the zone infor­ma­tion using XCOPY.
The below com­mand can be used to backup.

XCOPY %SYSTEMROOT%\system32\dns c:\backup\dns /y

To restore the pri­mary and sec­ondary zone infor­ma­tion, you only need to sim­ply copy the files from the

\backup\DNS folder to the %SYSTEMROOT%\system32\dns folder

Active Direc­tory inte­grated zones:

You may be aware that the zone infor­ma­tion for Active Direc­tory inte­grated zone will be stored in AD data­base rather than as a text file. So the first step in tak­ing the backup is to export the zone infor­ma­tion to a file.
DNSCMD /zoneexport test.com backup\test.com.dns.bak
The backup file will be placed in the %systemroot%\system32\dns\backup folder, and will be named test.com.dns.bak.

You can use the backup file just cre­ated to restore the AD inte­grated zone if needed. How­ever, the restore process is bit more complex.

The restora­tion is a 2 step process.

a. You need to cre­ate a pri­mary zone by using the backup file you have cre­ated ear­lier.
b. Converting the pri­mary zone to AD inte­grated zone.
Before per­form­ing the first step, you need to copy the backup file you had cre­ated to %systemroot%\system32\dns folder from the backup loca­tion. Now, exe­cute the fol­low­ing com­mand.

DNSCMD /zoneadd test.com /primary /file test.com.dns.bak /load

The above com­mand will setup a pri­mary zone in the DNS server using the zone infor­ma­tion in the file test.com.dns.bak
Now, you need to con­vert the pri­mary DNS zone you just cre­ated to an AD inte­grated zone. You can use the fol­low­ing com­mand for that.

DNSCMD /zoneresettype test.com /dsprimary

Done!!

Note: If you want to enable secure dynamic updates, then you must enter the fol­low­ing command:

DNSCMD /config test.com /allowupdate 2

As a gen­eral back up guide­line is always a best prac­tice to test the integrity of the backup files at reg­u­lar inter­vals by doing test restores on any test network.

Blog by Harivishnu

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s