An alternate strategy for DNS server backup move

Since Active Directory is completely dependent on the domain name system (DNS), it is critically important to back up your DNS servers on a regular basis.

Microsoft's preferred method for backing up a DNS server is to perform a system state backup. Although this technique does work, it's an all-or-nothing proposition. This means that if you are having DNS problems and you choose to restore the system state, then you will also end up restoring the Registry, Active Directory database and a number of other components.

Fortunately, it's possible to back up your DNS server independently using two alternate methods. However, you must choose the method that corresponds to the type of zone that you are backing up.

Primary and secondary zones

Backing up primary and secondary zones is simple, because the zone information is stored within a text file. All you have to do is use the XCOPY command to backup the DNS folder. The command looks like this:

XCOPY %SYSTEMROOT%\system32\dns c:\backup\dns /y

This command tells Windows to copy everything found in the \Windows\System32\DNS folder to C:\backup\dns. The /Y switch at the end basically just tells the command to go ahead and do its thing without prompting you to make sure that it is OK.
Restoring the primary and secondary zone information is just as easy. You would simply copy the files from the \backup\DNS folder to the %SYSTEMROOT%\system32\dns folder.

Active Directory integrated zones

Backing up an Active Directory integrated zone is a bit trickier because the zone information is stored in the Active Directory rather than in a text file. Fortunately, Microsoft provides us with a command-line tool called DNSCMD.EXE that can get the job done.

DNSCMD.EXE is a part of the Windows Support Tools. The Windows Support Tools are not installed by default, but you can install them by running the SUPTOOLS.MSI file that's located in the \Support\Tools folder on your Windows Server 2003 installation disk. Once you have installed the Windows Support Tools, open a Command Prompt window and navigate to the \Program Files\Support Tools folder. You can run all of the commands you need from this location.

First, export the zone information to a file you can back up. For example, suppose you were interested in backing up the DNS information for CONTOSO.COM. In such a situation, the export command would look like this:

DNSCMD /zoneexport Contoso.com backup\contoso.com.dns.bak

When you run this command, the /zoneexport switch tells DNSCMD.exe that you want to export zone information for the specified zone (Contoso.com) to a backup file. The backup file will be placed in the %systemroot%\system32\dns\backup folder, and will be named Contoso.com.dns.bak.
More on DNS

Configuring DNS server to create a DNS zone

Disable DNS client screening in Windows Server 2003

How to recover a DNS database from registry/MMC



The one thing you need to know about the export command is that it will not overwrite any previously existing backup files. Therefore, make sure that no files with the specified name already exist in the backup directory, or the command won't work.

As you can see, creating a backup isn't very difficult, but restoring the backup is a little bit trickier. That's because you can't just tell the DNSCMD command to restore the file as an Active Directory integrated zone. Instead, you have to tell DNSCMD to create a primary zone based on your backup file. Once you have done that, you can convert the primary zone to an Active Directory integrated zone.

The first thing you need to do is move the backup file that you created from the %systemroot%\system32\dns\backup folder to the %systemroot%\system32\dns folder. This allows DNSCMD to discover the backup file. After doing so, run the following command:

DNSCMD /zoneadd Contoso.com /primary /file Contoso.com.dns.bak /load

In the command above, the /zoneadd switch tells DNSCMD that you want to create a new zone. The /Primary switch indicates that you are creating a primary zone. You then used the /File switch and the name of your backup file to indicate which file you want to create the new zone from.
The /LOAD switch in this command is very important. It tells DNSCMD to load the zone information from the file that was just specified. Had you omitted the /LOAD switch, DNSCMD would have created a new zone file and overwritten the contents of the backup file.

Now that you have created a new primary zone, you need to convert the zone to an Active Directory integrated zone. To do so, just use this command:

DNSCMD /zoneresettype Contoso.com /dsprimary

Once you enter this command, you're all set. However, secure dynamic updates for the zone are not enabled by default. If you want to enable secure dynamic updates, then you must enter the following command:

DNSCMD /config Contoso.com /allowupdate 2