How to restore a deleted DNS zone

This procedure describes how to perform an authoritative restore to recover the zone and replicate it correctly across your AD infrastructure, when an Active Directory-Integrated DNS zone is accidentally deleted (or needs to be rolled back).

Prerequisites

• Ensure you have a recent, trustworthy backup of the Domain Controller(s) that hosted the DNS zone.

• Ensure you have the necessary permissions (Domain Admins / Enterprise Admins) to perform restores. For more information, see software requirements.

Restore a deleted DNS zone

To restore a deleted DNS zone:

1. Identify which DNS zone was deleted (for example: corp.example.com) to confirm the deletion and scope.
2. Determine whether the zone was AD-Integrated (for example, located in the DomainDnsZones or ForestDnsZones partitions). If yes, the DNS zone objects are stored in Active Directory.
3. Identify which DC(s) hosted the zone and where the backup is located.
4. Choose a DC to restore from backup. Ideally, this is the DC that hosted the deleted zone and has a good backup.
5. Isolate the DC if necessary (to avoid replication of bad state). In full AD forest-recovery scenarios you might use disconnected network mode.
6. Navigate to the Cayosoft Guardian> Forest Recovery > Recovery Plans > Add AD DC recovery plan. Then, on the Domain Controllers tab, select the DC and choose the backup.
7. In the recovery plan, select the Authoritative restore option. For example, Restore the whole domain from backup (authoritative restore) or Restore the specified container and all children from backup (authoritative restore). If you are restoring a specific container or subtree (e.g., just the DNS zone object) use the Specified container option and supply the distinguished name (DN) of the zone subtree.
8. Determine the Authoritative Restore Version increment (if required) so that the restored objects will be treated as the latest version in replication.
9. Run the recovery plan (or start the restore process) on the selected DC. In Cayosoft Guardian, navigate to Forest Recovery > Recovery Plans > select plan > Run.
10. Monitor execution progress and check execution history for errors or warnings.
11. Once the restore is complete, the selected DC will have the DNS zone (and child objects, if subtree restore) marked as authoritative.
12. Ensure the DNS Server service is running and the DNS zone appears in DNS Manager on that DC.
13. If required, restart the DNS Server service to force recognition of the restored zone.
14. Confirm that replication starts to other DCs: since the restore is authoritative, this DC’s copy will be replicated out to peers, replacing the deletion.
15. On the restored DC and on other DCs, verify that the DNS zone appears and contains the expected records.
16. Use repadmin /replsum, dcdiag /v, or similar tools to validate AD replication and DNS health.