Master in progress IT blog

Forever learning, turning real-world problems into real IT solutions.

Rescuing Deleted DNS Records: A 5 step Mission to Recover from an AD-Integrated DNS Disaster

Alexander Mora

DNS importance in today’s world

In today’s complex IT environments, DNS (Domain Name System) is the backbone of network communication. It translates human-friendly domain names into machine-readable IP addresses. In environments using Active Directory (AD), DNS is often integrated into the AD database itself. This not only makes DNS more resilient but also tightly couples it with AD’s replication mechanism. However, as with any system, accidents happen, and crucial DNS records can be deleted. Recovering these deleted records, especially in AD-integrated DNS, requires a deep understanding of how DNS data is stored and replicated across domain controllers.

In this blog post, we will explore how to recover deleted DNS records from a system state backup in an AD-integrated DNS environment, ensuring that critical services are quickly restored.

Understanding the Problem: How DNS Records Went Missing

DNS records usually don’t get deleted by magic, this is usually caused by an administrator mistake, Imagine the panic when hundreds of DNS records are deleted, causing widespread authentication failures and application downtime across an entire enterprise. This exact scenario unfolded for one of our customers, and in this post, I’ll walk you through how we helped them recover critical DNS records from their Active Directory Integrated DNS partition.

Since this environment only had domain controllers running Core OS editions (without a graphical interface), we had to rely entirely on command-line tools.

Steps to Recover Deleted DNS Records

  1. Configure DC to Boot in DSRM Mode: We start by configuring the domain controller (DC) to boot in Directory Services Restore Mode (DSRM). This is done using the bcdedit utility. Make sure you remember your DSRM password, otherwise, it is a good idea to reset it before you continue.
PowerShell
bcdedit /set safeboot dsrepair
shutdown /r /t 0

  1. Enumerate Available Backups: After the domain controller boots in DSRM mode, we enumerate the available backups on the server using the wbadmin utility.
PowerShell
wbadmin get versions

This command displays a list of backups, showing details like the backup time and location. Identify the backup that contains the DNS records you want to restore

  1. Restore System State: Once you’ve identified the correct backup version, use the wbadmin utility to restore the system state from that backup.
PowerShell
wbadmin start systemstaterecovery -version:<BackupVersion> -quiet

Replace <BackupVersion> with the Version Identifier you found from the wbadmin get versions command. The -quiet option suppresses prompts for user interaction.

For example, if the Version Identifier is 09/09/2024-01:30, the command would be:

PowerShell
wbadmin start systemstaterecovery -version:09/09/2024-01:30 -quiet

This will restore the system state, including Active Directory and DNS records.

**DO NOT REBOOT THE MACHINE AFTER THE RESTORE FINISHES**

An image of a CMD output asking if the user wants to restart the machine after recovering a backup for DNS restoration

**DO NOT REBOOT THE MACHINE AFTER THE RESTORE FINISHES**

  1. Mark DNS Zone as Authoritative: After the restore is complete, you need to mark the specific DNS zone as authoritative with the ntdsutil tool. This ensures that the restored DNS records are replicated to other domain controllers. Open another CMD as administrator and execute the following commands
PowerShell
ntdsutil
activate instance ntds
authoritative restore
restore subtree "DC=ZoneName,DC=DomainName,DC=com"

The previous command marks the DNS zone and ONLY the DNS zone as authoritative, ensuring that it takes precedence during replication.

  1. Remove DSRM Boot Mode and Reboot: Remove the DSRM boot mode to start normally and reboot:
PowerShell
bcdedit /deletevalue safeboot
shutdown /r /t 0

Preventing Future Issues

By following these steps, we successfully recovered the deleted DNS records and restored normal operations for the customer. To prevent similar disasters in the future, implementing proactive measures is crucial.

  • DNS auditing should be enabled to track any changes made to DNS records.
  • Only administrators with proper access controls should be allowed to modify DNS settings.
  • Regular system state backups should also be automated to ensure that, in case of accidental deletion, recovery is always an option.

In conclusion, while losing DNS records can be a major disruption, understanding how to quickly and efficiently restore them from a system state backup can save both time and stress in critical situations. Has your organization experienced similar DNS-related incidents? What recovery strategies have worked best for you?

References

Alexander Mora Avatar
Alexander Mora

Leave a Reply

Your email address will not be published. Required fields are marked *