Thursday, November 17, 2011

How to rebuild AD-integrated DNS servers

What if a joker wipe out your AD integrated DNS zones accidentally? And there's no backup? You'll find out soon enough that AD operations are heavily dependent on the DNS services.

You'll then have to rebuild the DNS manually by re-creating 2 DNS zone files namely: yourdomain.dns and _msdcs.yourdomain.dns. When non-AD integrated, both zone files should be stored on the system dns folder on %Systemdrive%\System32\dns\ e.g. C:\Windows\System32\dns

  1. On all of your AD-integrated DNS servers, change both forward primary and _msdcs zones to Standard Primary zones by unchecking the "Store the zone in Active Directory" box. Backup both existing dns files on the system dns folder. Delete both primary and _msdcs zones using the DNS manager.
  2. Next, you'll need to know the DNS zone file syntax. There are sample files available under the \dns\sample. Another easier way is to go to another DNS server belonging to another intact domain. Change both primary and _msdcs zones to Secondary Zone temporarily and you'll find the 2 files located on the system dns folder for your reference. Copy out the files and remember to change them back to AD-integrated.
  3. Re-create both zone files using notepad/wordpad and store them on the system dns folder. Pay special attention on SRV records like _ldap, _kerberos, _dc._tcp.domain  etc for "referring" your clients to the domain controllers for authentication. Remember to keep a backup copy for both files.
  4. On your DNS manager, create new standard primary zone (do not integrate with AD yet!) under the forward zones and named it after your domain. On the "Zone File" page of the setup wizard, choose to "Use this existing files". Repeat the same step for _msdcs zones.
  5. Restart DNS and netlogon services by using "net stop/start dns/netlogon" respectively.
  6. Test and check all entries. Rectify any errors found.
  7. Once you're happy with the DNS settings, integrate the DNS server into Active Directory by checking the same box earlier in step 1.
  8. If you have dynamic DNS records, execute "ipconfig /registerdns" on each dynamic DNS client. Otherwise, just wait for the clients to get back online.
  9. On each subsequent DNS server, check that the DNS zone is back. Otherwise, create a new secondary zone and a new _msdcs zone. Reference them to the DNS server that you first re-created. Make sure the entries are replicated correctly. If replication fails, check the "Zone Transfer" setting on the first DNS server.
  10. Once replication is successful, change both secondary zones to primary zones. Integrate both zones into AD. Reboot the DNS server.