How to restore deleted Active Directory DNS zones
Last updated on:On this page
Active Directory (AD) uses DNS to translate domain names into IP addresses and locate domain controllers (DCs). This is organized through a hierarchical DNS namespace, which is partitioned into manageable units called DNS zones. These zones are categorized as either Forward Lookup Zones or Reverse Lookup Zones and contain the resource records necessary for network communication.
In an AD-integrated zone, DNS data is stored as objects within AD partitions and replicated across all DCs using multi-master replication. When an AD-integrated zone is deleted, it is moved to the Deleted Objects container and retained for the Deleted Object Lifetime (typically 180 days). If the AD Recycle Bin is enabled, the deleted DNS zone can be fully restored, including all child records. Otherwise, it becomes a tombstone, loses most attributes, and is removed after the Tombstone Lifetime. Due to multi-master replication, deletions quickly spread across DCs, making reliable recovery essential.
This article explains how to restore deleted AD DNS zones using the Active Directory Administrative Center (ADAC) and PowerShell, as well as with RecoveryManager Plus, the comprehensive AD backup and recovery tool.
- ADAC
- PowerShell
- RecoveryManager Plus
Method 1: Restore deleted AD DNS zones using ADAC
ADAC provides a graphical interface for restoring a deleted AD-integrated DNS zone. Administrators can use this method if the Recycle Bin was enabled before the deletion.
Prerequisites
- The Recycle Bin must have been enabled prior to the deletion.
- You must be a member of the Domain Admins group or have delegated permissions to access the Deleted Objects container in the specific Application Partition.
- If running ADAC on a client machine, Remote Server Administration Tools (RSAT) must be installed. To install RSAT on Windows 10 or Windows 11, use the following script:
Ensure the module is loaded using the following script:
Add-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0Import-Module ActiveDirectory
- This method applies to AD domains with a forest and domain functional level of Windows Server 2008 R2 or higher.
- Only AD-integrated DNS zones can be restored using ADAC.
- Restoring a DNS zone using ADAC restores the zone object, but you may need to reload the DNS zone or refresh the DNS Manager console for the records to populate.
Steps
- Launch ADAC.
- On the left pane, select the appropriate Partition (e.g., DomainDnsZones) and locate the Deleted Objects container.
Note: If the zone is stored in an application partition, such as ForestDnsZones or DomainDnsZones, it may not appear in the default ADAC view. Select Add Navigation Nodes and manually select the naming context of the application partition.
- Browse the list or use the search bar to locate the deleted DNS zone object, usually found under the MicrosoftDNS container path with the prefix Deleted.
- Click Restore to return the DNS zone to its original OU, or click Restore To to specify a new location.
- Open the DNS Manager console (dnsmgmt.msc) on the DNS server, right-click your server, and select Reload, or run the following in a command prompt: dnscmd /zonereload <ZoneName>
Limitations
- This requires the AD Recycle Bin to be enabled before deletion.
- You cannot restore objects after the Tombstone Lifetime expires.
- There is no preview of DNS records within the zone before restoration.
- Finding an object can be difficult if the administrator does not know which Application Partition the zone originally resided in.
- You may need to manually reload the DNS zone or refresh the DNS Manager console for the zone to appear again.
Method 2: Restore deleted AD DNS zones using PowerShell
You can use PowerShell to restore deleted AD integrated DNS zones directly from the Deleted Objects container.
Prerequisites
- You must run PowerShell as an administrator with Domain Admin or delegated permissions.
- The AD PowerShell module must be installed. To install it on Windows 10 or Windows 11, run the following script:
Ensure the module is loaded using the following script:
Add-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0
Import-Module ActiveDirectory
- Verify the Recycle Bin is enabled using the following script:
Get-ADOptionalFeature -Filter 'name -like "Recycle Bin Feature"' | Select-Object Name, EnabledScopes
Note: If the EnabledScopes property is empty, the AD Recycle Bin is not enabled. If it's not enabled, deleted objects cannot be restored using this method and must be recovered using the tombstone reanimation or authoritative restore approaches.
When the Recycle Bin is enabled
If the Recycle Bin is active, the zone and all its child DNS records (A, MX, CNAME, etc.) can be restored with all attributes intact.
Note: DNS zones are stored in application partitions such as DomainDNSZones or ForestDNSZones, depending on how the zone was created. In this document, scripts use DomainDNSZones as the -SearchBase. If your zone resides in the forest-wide partition, replace it with ForestDNSZones. Using an incorrect partition may prevent Get-ADObject from locating the zone.
Restore a specific DNS zone by its name
If you know the name of the deleted DNS zone, run the following script:
Get-ADObject -SearchBase "CN=Deleted Objects,DC=DomainDNSZones,DC=zylker,DC=com" -Filter 'Name -like "ZoneName*" -and isDeleted -eq $true' -IncludeDeletedObjects | Restore-ADObject
Restore a DNS zone using the GUID
If multiple zones share a similar name, using the ObjectGUID is the safest way to ensure you are restoring the correct record:
Get-ADObject -SearchBase "CN=Deleted Objects,DC=DomainDNSZones,DC=zylker,DC=com" -Filter 'ObjectGUID -eq "12345678-1234-1234-1234-1234567890ab"' -IncludeDeletedObjects | Restore-ADObject
Restore DNS zones in bulk
Run the following script to restore in bulk:
Get-ADObject -SearchBase "CN=Deleted Objects,DC=DomainDNSZones,DC=zylker,DC=com" -Filter 'isDeleted -eq $true -and ObjectClass -eq "dnsZone"' -IncludeDeletedObjects | Restore-ADObject
When the Recycle Bin is not enabled
When the Recycle Bin is not enabled, deleted objects become tombstones and lose most of their metadata and child objects. Based on Microsoft recommendations, the preferred recovery method in AD is the authoritative restore, which uses system state backups to recover objects and ensure they replicate correctly across DCs.
Reanimation restores only the DNS zone object without its child records, often resulting in an incomplete or empty zone. Therefore, it should be used only when the authoritative restore method is not feasible.
For partial recovery of the DNS zone via reanimation, use the following PowerShell command:
Get-ADObject -SearchBase "CN=Deleted Objects,DC=DomainDNSZones,DC=zylker,DC=com" -Filter 'Name -like "*ZoneName*"' -IncludeDeletedObjects | Restore-ADObject
Note: The reanimation often results in orphaned zones that lack critical attributes. You may need to recreate DNS records manually.
Supported parameters
| Parameter | Description |
|---|---|
| -Filter | Specifies a query string to identify the specific object to retrieve |
| -IncludeDeletedObjects | Searches the Deleted Objects container, which is hidden by default |
| -SearchBase | Specifies the Distinguished Name of the container to search within |
| -eq | A logical operator standing for "equal to" |
| -like | Used for pattern-based searches |
| ObjectGUID | The unique, never-changing 128-bit identifier assigned to an AD object |
| isDeleted | A Boolean attribute that marks whether an object has been moved to the Deleted Objects container |
Limitations
- This requires scripting knowledge.
- Objects cannot be restored unless their parent container is also restored or exists.
- There is a risk of restoring incorrect objects due to filter errors or typos.
- Bulk restore operations can lead to performance lags.
- Tombstone reanimation results in significant data loss.
Method 3: Restore deleted AD DNS zones using RecoveryManager Plus
Restoring deleted AD DNS objects using native tools like ADAC or PowerShell can be complex and time-consuming. They lack automation, require deep expertise, and cannot guarantee complete recovery of DNS configurations.
ManageEngine RecoveryManager Plus is a comprehensive AD backup and recovery solution designed to eliminate these complexities. It provides an easy-to-use, web-based interface where administrators can view, compare, and recover deleted AD objects from a dedicated Recycle Bin, ensuring that even if the native Recycle Bin fails or the Tombstone Lifetime expires, your data remains recoverable.
- Navigate to Active Directory > Active Directory Objects > Quick Recovery > Deleted Objects.
- Use the search bar to filter by Object Type, select DNS Zone, and click Save.
- Click Restore to recover it.
Manage your AD recovery effectively
RecoveryManager Plus simplifies AD recovery by providing a centralized, web-based interface to backup and restore deleted AD DNS zones and child objects quickly and reliably. With built-in backup, granular restoration, and rollback capabilities, administrators can recover AD DNS zones and nodes in just a few clicks without relying on complex scripts or native tool limitations.
Domain controller backups:
Back up DCs and restore them instantly in the event of a disaster.
Automated backups:
Eliminate manual effort with scheduled backups that capture every change in your AD environment.
Granular restoration:
Restore the entire domain, specific objects, or only the modified attributes.
Change tracking:
Monitor changes made to AD objects and undo them instantly from a single dashboard.
Rollbacks:
Roll back user objects to any previous backed-up version, ensuring all attributes are intact.
Best practices for AD DNS recovery
Follow these best practices to strengthen your AD recovery strategy and ensure deleted objects can be restored efficiently when needed.
Perform regular backups:
Schedule frequent AD backups based on your organization's recovery point objective to ensure objects can be restored to their latest versions when required.
Implement the 3-2-1 backup rule:
Maintain three backup copies, store them on two different storage types, and keep one copy off-site or isolated.
Implement least privilege access:
Ensure that only a limited number of administrators have the permissions required to delete objects.
Monitor critical OUs:
Enable Protect object from accidental deletion on all critical OUs to prevent unintended administrative actions.
Perform testing regularly:
Periodically test your backup and recovery processes to ensure they work as expected.
Frequently asked questions (FAQ)
Standard primary zones store data in text-based .dns files on a single server, while AD-integrated zones store DNS data as objects within the AD database. This integration enables multi-master replication, ensuring that DNS data is automatically copied to all domain controllers and remains available even if one server fails.
Native tools like ADAC and PowerShell typically restore the entire DNS zone object. Granular recovery of individual records is not supported unless you manually recreate them or use a backup solution that allows record-level restoration.
