4

We currently use Windows Server 2012 R2 as our DNS Server. I would like to put all zone files under version control. I found this question that shows how to export the zones via PowerShell. But it doesn't seem to export it in a way that I could re-import it later.

I also read about the DnsCmd command but it is deprecated.

So: How do I export the zones stored in Active Directory into text files, such that I can put them into git/version control, and (important), that I can later re-import an older version if necessary?

Community
  • 1
Wilbert
  • 137
  • 6
  • To me that seems like the wrong approach if your zone data is stored in Active Directory... Take a look at the many products designed to backup and secure your whole AD domain and benefit from those also with your DNS management ... – HBruijn Oct 23 '16 at 08:41
  • 1
    @HBruijn: I must agree with you on this. Saving the records for historical/auditing purposes is ok, but as a recovery solution could be problematic/tricky. AD DNS seems easy and simple until it isn't, then you could be in a jam. It isn't straightforward to just restore all the zone from a file with only the minimal record information. – Greg Askew Oct 25 '16 at 23:45

2 Answers2

4

One of the issues you're going to have here is that an Active Directory zone is much more than just a normal zone file like you might expect with bind. I mean, yes, it is a normal zone, but it also has integrated permissions which can't readily be backed up in a plain-text format.

(I assume you're after something in plain text due to the mention of git, and I'm guessing you want to diff the AD zone at different times)

But if you're dead set on doing this, the way to export your zone file is using Export-DnsServerZone

Export-DnsServerZone -Name ad.example.com -FileName ad.example.com.zone

Now, the documentation says you can specify a file path for -FileName, but in my testing I actually wasn't able to do this. So that means this file is going to end up in %WinDir%\System32\dns. You'll want to grab it from there and move it to your git repo and commit it.

Getting the zone file back in when you want to restore it however, isn't quite the same. There does not seem to be a nice powershell wrapper for this (probably because it's not something Microsoft want you doing with an integrated AD zone):

dnscmd /ZoneAdd ad.example.com /Primary /File ad.example.com.zone /load

Note that in doing this restore, you'll lose all permissions in the zone - but you will have your raw data, and you will be able to diff it in git.

Mark Henderson
  • 68,316
  • 31
  • 175
  • 255
  • 2
    Another way would be an ldifde export of the DNS partition: `DC=ad.company.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=AD,DC=company,DC=com`. That way they could specify the list of attributes, including the ntSecurityDescriptor. – Greg Askew Oct 25 '16 at 13:08
  • 1
    @GregAskew that probably deserves writing up into its own answer. I wasn't aware of that method. – Mark Henderson Oct 25 '16 at 13:09
  • 1
    I could, but I'm ambivalent about encouraging this question's approach to restoration. Historical/statistics, no problem. My intent is to emphasize your point about the security. A mass restore of records without the security could be a disaster, and DNS jackpots is one of the more common reasons customers engage Microsoft for an AD CritSit. – Greg Askew Oct 25 '16 at 23:12
  • What would you suggest instead? Coming from a *nix background, text export + git seemed the obvious option. Maybe I am asking the wrong question... – Wilbert Oct 31 '16 at 07:39
  • @Wilbert check out this question here: http://serverfault.com/questions/221627/best-way-to-backup-active-directory-with-a-single-domain-controller - although DNS is not explicitly mentioned, it will get you to the same place. Or this question: http://serverfault.com/questions/769096/best-practices-for-ad-ds-backup-and-recovery – Mark Henderson Nov 01 '16 at 12:18
0

Are you using an Active Directory integrated zone? its not elegant but you could add a secondary DNS server for your zone and then you would have access to a ZONE txt file.

Michael Brown
  • 3,204
  • 2
  • 9
  • 10
  • I don't understand. How would a second DNS give me a ZONE text file? – Wilbert Oct 19 '16 at 12:13
  • If you create a secondary DNS Zone it will have a complete ZONE file that you can just copy. As I said its not an elegant solution but it would work. you would find the zone file in c:\windows\system32\dns – Michael Brown Oct 20 '16 at 10:18
  • We do have 2 domain controllers that are also the DNS servers. The second one also doesn't have a dns ZONE file. And how would I re-import this in the case of a config error? – Wilbert Oct 21 '16 at 12:42