Windows DNS servers are the lifeblood of a healthy network; here is a one-liner that can give you a stronger audit trail and be more attractive than a full restore of your DNS server.
Many of the more powerful network commands in Windows Server can be done with the command line. Netsh is one that I have covered a bit, and dnscmd is another that can give administrators a lot of functionality in protecting their DNS zones.
Before the naysayers light up the comments below I must mention that I’m not suggesting this as a replacement for a backup of your Windows-integrated DNS servers. I’m proposing an export of the DNS zones (ideally as a scheduled task) to a flat file that you can see what the zones contained in a point of time. This can be to accommodate what was changed, added, or deleted when looking through oddities that come up with administering a Windows Active Directory integrated DNS server.
To get started with dnscmd, this command may need to be installed on your server depending on its current configuration. It is most frequently installed with the server support tools pack for the server version you are using. Default installations put the command in the C:\Program Files\Support Tools path. In the example I will use, I will put the DNS zones to the C:\zonex folder locally on the DNS server. To export a DNS zone to a text file, run the following commands:
dnscmd 10.187.187.200 /ZoneExport RWVDEV.INTRA rwvdev-dot-intra.txt
move c:\windows\system32\dns\rwvdev-dot-intra.txt c:\zonex /Y
This will export the zone RWVDEV.INTRA from server 10.187.187.200 to the file rwvdev-dot-intra.txt. The next line moves it to the zonex path where I would like to keep these for archival and review.
A little tweaks for your environment and you can be ready to go quite quickly with this script. This can be easier for DNS forensics as well as possibly more attractive than a restore if you know what changed by reviewing the export.
What tricks do you do to protect and record your DNS entries? Share your comments below.