Network DNS


DNS backups without the baggage

Common FAQs, help, guidance and education about DNS

Making Your DNS Service Fault Tolerant p?editoria lsid=1024

With DNS, backing up primary and secondary zones independent of the system state is a pretty simple process. You can use the xcopy command to back up all zone text files on a DNS server. This command would back up the contents of the default DNS folder to the "D:\backups\dns" folder:

xcopy %systemroot%\system32\dns d:\backups\dns /y
Unfortunately, the process isnt as simple for Active Directory-integrated DNS zones. For these zones, the support tool dnscmd.exe can get the job done. To back up any DNS zone with dnscmd.exe, you just need to use the /zoneexport switch with the command. To back up the zone locally on a DNS server, you'd run:

dnscmd /zoneexport backup\
This command writes a copy of the zone to the %systemroot%\system32\dns\ backup\mcp s.bak file. Note that the command doesn't overwrite existing files, so if youre including it with a backup script, be sure to move the file to an alternate location after the export completes, or to reneame or delete the current backup file before you run a new dnscmd /zoneexport job.

If you need to re-create a new zone from the export file, youll find that you can do this by using dnscmd.exe with the /zoneadd switch. The only catch with this approach is that if youre looking to recover an AD-integrated zone, you need to add the zone as a primary first and then convert it to AD-integrated. For example, to recover my zone, I'd run:

dnscmd /zoneadd /primary /file /load
Here, note that the backup file needs to reside in the %systemroot%\system32\dns folder for it to be properly discovered. Use the /load switch to tell the command to load the configuration from the existing file. Without it, the command will create a new zone data file that will overwrite the contents of the backup file.

After adding the zone to the DNS server, you can convert it to an AD-integrated zone by running:

dnscmd /zoneresettype /dsprimary
At this point, you can then enable secure dynamic updates for the zone by running:

dnscmd /config /allowupdate 2
This command configures the zone to accept only secure dynamic updates, as specified by the allowupdate value of 2 (use 0 to specify No dynamic updates, 1 for nonsecure and secure dynamic updates).


Back to Deighton