DNS zone file information is stored by default in the %systemroot%\system32\dns folder. When the DNS Server service starts it loads zones from these files. This behavior is limited to any primary and secondary zones that are not AD integrated. The files will be named as <ZoneFQDN>.dns. When changes are made to the zone information, a backup of the zone file is placed in the %systemroot%\system32\dns\backup folder. Only one backup file is maintained – in other words, the backup will be overwritten by a new file when further changes are made to the zone.
 
Because AD-integrated zones are stored in the directory they do not have corresponding zone files. This makes sense because the zones are stored in, and loaded from, the directory.
 
When making changes to the DNS infrastructure, it is a good idea to take a backup of the AD-integrated zone information. This not only provides a handy, human-readable document of the status of the zone before the change, but can also provide a recovery mechanism if the change causes unforeseen problems.
 
Dnscmd.exe can be used to export the zone to a file. The syntax of the command is:
 
DnsCmd <ServerName> /ZoneExport <ZoneName> <ZoneExportFile>
    <ZoneName>   -- FQDN of zone to export
                    /Cache to export cache
 
As an example, let’s say we have a zone named north.com. The command to export the file would be:
 
DnsCmd NorthDC1 /ZoneExport north.com north.com.bak
 
The output from the command should look like this:
 
C:\>dnscmd /zoneexport north.com north.com.bak
DNS Server . exported zone north.com to file C:\WINDOWS\system32\dns\north.com.bak
Command completed successfully.
 
Note that the file will always be created in %systemroot%\system32\dns unless otherwise specified.
 
To recover a damaged AD-integrated zone using the zone backup file, follow the procedure described below. Note that this is a fairly drastic step with potentially high impact for replication, systems and users, so it should only be considered as a last resort. Ensure that you have tested the procedure and are familiar with it before attempting it in your production environment.
 
Delete the zone. If using the dnsmgmt.msc snap-in you will receive a warning that the zone will be removed from AD and from all DNS servers that load the zone from AD.
Rename your zone backup file to have a .dns extension, e.g.
ren %systemroot%\system32\dns\north.com.bak %systemroot%\system32\dns\north.com.dns
Create a new zone with the same FQDN as the zone you deleted in Step 1. If using the new zone wizard, ensure you uncheck the box next to Store the zone in Active Directory (available only if DNS server is a domain controller).
When prompted to create a new zone file or to use an existing file, choose the option to use an existing file. The wizard should automatically fill in the zone FQDN with the .dns extension. This should correspond to the renamed zone file from Step 2.
Complete the wizard.
Check that the zone information is as you would expect (i.e. it contains all the information from the backup).
Change the zone type to AD-integrated.
 
An alternative (but potentially more time-intensive) method of recovering a damaged AD-integrated zone would be to perform an authoritative restore from a backup.
 
For more information on Windows 2003 DNS, I would recommend the O'Reilly book:
 
http://www.oreilly.com/catalog/dnswinsvr/
 
 
Alexei
29th July 2006