ANAVEM
EnglishFrancais
ANAVEM
Languagefr
How to Restore DNS Zones in Windows Server 2022

How to Restore DNS Zones in Windows Server 2022

Learn to restore DNS zones on Windows Server using GUI and PowerShell methods, including backup preparation, zone recreation, and verification steps to prevent service disruptions.

Evan MaelEvan Mael
March 26, 2026 15 min
mediumdns 9 steps 15 min

Why Is DNS Zone Restoration Critical for Windows Server Environments?

DNS zone restoration is a fundamental skill for Windows Server administrators, as DNS failures can bring down entire network infrastructures within minutes. Whether you're dealing with zone corruption, accidental deletions, failed updates, or disaster recovery scenarios, knowing how to quickly and accurately restore DNS zones can mean the difference between a brief service interruption and extended downtime affecting hundreds or thousands of users.

What Are the Main Methods for DNS Zone Restoration in Windows Server?

Windows Server provides two primary approaches for DNS zone restoration: the graphical DNS Manager console and PowerShell-based methods. The GUI approach offers intuitive wizards perfect for one-off restorations, while PowerShell provides automation capabilities essential for large-scale environments and disaster recovery procedures. Both methods support restoring to file-based primary zones and Active Directory-integrated zones, with the flexibility to convert between types post-restoration.

What Prerequisites Must Be Met Before Starting DNS Zone Restoration?

Successful DNS zone restoration requires proper preparation and the right environment. You'll need Windows Server 2016, 2019, or 2022 with the DNS Server role installed, administrative privileges, and most importantly, valid DNS zone backup files in the correct format. The backup files must be placed in the specific directory that Windows DNS Server expects: C:\Windows\System32\dns (not the backup subfolder, which is a common mistake). Understanding your current DNS configuration and having a rollback plan is equally crucial for production environments.

Implementation Guide

Full Procedure

01

Prepare the DNS Zone Backup Files

Before starting the restoration process, you need to prepare your DNS zone backup files and place them in the correct location. Windows DNS Server expects backup files to be in a specific directory.

First, copy your DNS backup file to the correct location:

Copy-Item "C:\DNSBackups\contoso.com.dns" "C:\Windows\System32\dns\contoso.com.dns"

Verify the backup file is in the correct location and check its contents:

# List files in the DNS directory
dir "C:\Windows\System32\dns\*.dns"

# Preview the backup file contents
Get-Content "C:\Windows\System32\dns\contoso.com.dns" | Select-Object -First 10
Warning: Place backup files in the root of C:\Windows\System32\dns, NOT in the backup subfolder. This is a common mistake that causes restoration failures.

Verification: Run Test-Path "C:\Windows\System32\dns\contoso.com.dns" to confirm the file exists in the correct location.

02

Document Current DNS Configuration

Before making any changes, document your current DNS configuration to enable rollback if needed. This step is crucial for production environments.

Export current zone information and DNS records:

# Check existing DNS zones
Get-DnsServerZone | Select-Object ZoneName, ZoneType, IsDsIntegrated | Export-Csv "C:\temp\current_zones.csv"

# Export current DNS records for the zone you're restoring
Get-DnsServerResourceRecord -ZoneName "contoso.com" | Export-Csv "C:\temp\current_dns_records.csv"

# Get detailed zone configuration
Get-DnsServerZone -Name "contoso.com" | Format-List | Out-File "C:\temp\zone_config.txt"

Create a backup of the current zone file if it exists:

# Backup current zone file
if (Test-Path "C:\Windows\System32\dns\contoso.com.dns") {
    Copy-Item "C:\Windows\System32\dns\contoso.com.dns" "C:\temp\contoso.com_current.dns"
    Write-Host "Current zone file backed up to C:\temp\contoso.com_current.dns"
}
Pro tip: Always create a snapshot of your current DNS configuration before restoration. This allows you to quickly revert changes if the restoration doesn't work as expected.

Verification: Check that backup files were created by running dir "C:\temp\current_*.csv" and confirm the files contain data.

03

Remove the Existing DNS Zone (If Necessary)

If you need to completely replace an existing zone, you'll need to remove it first. This step is optional if you're restoring a deleted zone or creating a new one.

Check if the zone exists and remove it:

# Check if the zone exists
$existingZone = Get-DnsServerZone -Name "contoso.com" -ErrorAction SilentlyContinue
if ($existingZone) {
    Write-Host "Zone exists. Type: $($existingZone.ZoneType), AD Integrated: $($existingZone.IsDsIntegrated)"
    
    # Remove the existing zone
    Remove-DnsServerZone -Name "contoso.com" -Force
    Write-Host "Zone removed successfully"
} else {
    Write-Host "Zone does not exist, proceeding with creation"
}

Wait a moment and verify the zone is completely removed:

# Wait for DNS service to process the change
Start-Sleep -Seconds 5

# Verify zone removal
$checkZone = Get-DnsServerZone -Name "contoso.com" -ErrorAction SilentlyContinue
if ($checkZone) {
    Write-Warning "Zone still exists, removal may have failed"
} else {
    Write-Host "Zone successfully removed"
}
Warning: Removing a DNS zone will immediately stop DNS resolution for that domain. Only perform this step during maintenance windows or when you're certain about the restoration process.

Verification: Run Get-DnsServerZone -Name "contoso.com" -ErrorAction SilentlyContinue and confirm it returns no results.

04

Restore DNS Zone Using PowerShell Method

PowerShell provides the most flexible and scriptable approach to DNS zone restoration. This method works for both file-based and Active Directory-integrated zones.

Create a new primary zone from the backup file:

# For file-based primary zones
Add-DnsServerPrimaryZone -Name "contoso.com" -ZoneFile "contoso.com.dns"

# For Active Directory-integrated zones (use this for domain controllers)
Add-DnsServerPrimaryZone -Name "contoso.com" -ReplicationScope "Forest" -ZoneFile "contoso.com.dns"

If you need to restore to an AD-integrated zone but want to start with a file-based zone first, use this two-step approach:

# Step 1: Create as file-based zone
Add-DnsServerPrimaryZone -Name "contoso.com" -ZoneFile "contoso.com.dns"

# Step 2: Convert to AD-integrated
Set-DnsServerPrimaryZone -Name "contoso.com" -ReplicationScope "Forest" -DirectoryPartitionName "ForestDnsZones"

Configure essential zone settings after restoration:

# Enable secure dynamic updates for AD-integrated zones
Set-DnsServerZone -Name "contoso.com" -DynamicUpdate "Secure"

# Configure zone transfer settings
Set-DnsServerZoneTransfer -Name "contoso.com" -TransferPolicy "TransferToSecureServers"

# Enable aging and scavenging if needed
Set-DnsServerZoneAging -ZoneName "contoso.com" -Aging $true -RefreshInterval (New-TimeSpan -Days 7) -NoRefreshInterval (New-TimeSpan -Days 7)

Verification: Run Get-DnsServerZone -Name "contoso.com" | Format-List to confirm the zone was created with the correct settings.

05

Restore DNS Zone Using GUI Method

The DNS Manager GUI provides an intuitive approach for zone restoration, especially useful for administrators who prefer graphical interfaces.

Open DNS Manager and start the zone creation wizard:

# Open DNS Manager programmatically
Start-Process "dnsmgmt.msc"

Follow these GUI steps:

  1. In DNS Manager, right-click on your server name and select Create new zone
  2. Click Next on the New Zone Wizard welcome page
  3. Select Primary zone as the zone type
  4. For file-based zones: Uncheck "Store the zone in Active Directory"
  5. For AD-integrated zones: Check "Store the zone in Active Directory"
  6. Select Forward lookup zone (or Reverse if restoring a reverse zone)
  7. Enter the exact zone name from your backup (e.g., "contoso.com")
  8. Choose Use an existing file and select your backup file
  9. Complete the wizard by clicking Finish

If you created a file-based zone but need AD integration, convert it:

  1. Right-click the restored zone and select Properties
  2. Under the General tab, click Change next to Type
  3. Select Primary zone
  4. Check "Store the zone in Active Directory"
  5. Choose the appropriate replication scope
  6. Click OK to apply changes
Pro tip: When using the GUI method, the zone name you enter must exactly match the zone name in your backup file. Case sensitivity matters for some record types.

Verification: In DNS Manager, expand the Forward Lookup Zones and confirm your zone appears with the expected records.

06

Import Individual DNS Records (Advanced Method)

Sometimes you need to restore specific records rather than entire zones, or your backup file needs manual parsing. This advanced method gives you granular control over the restoration process.

Create a PowerShell script to parse and import DNS records:

# Advanced DNS record import script
$backupFile = "C:\Windows\System32\dns\contoso.com.dns"
$zoneName = "contoso.com"
$importLog = "C:\temp\dns_import_log.txt"

# Initialize counters
$successCount = 0
$errorCount = 0

# Read and parse the backup file
Get-Content $backupFile | ForEach-Object {
    $line = $_.Trim()
    
    # Skip comments and empty lines
    if ($line -match "^;" -or $line -eq "") { return }
    
    # Parse DNS record format: NAME TTL CLASS TYPE DATA
    if ($line -match "^(\S+)\s+(\d+)?\s*IN\s+(\S+)\s+(.+)$") {
        $recordName = $matches[1]
        $ttl = if ($matches[2]) { [int]$matches[2] } else { 3600 }
        $recordType = $matches[3]
        $recordData = $matches[4]
        
        try {
            switch ($recordType) {
                "A" { 
                    Add-DnsServerResourceRecordA -ZoneName $zoneName -Name $recordName -IPv4Address $recordData -TimeToLive (New-TimeSpan -Seconds $ttl)
                }
                "AAAA" { 
                    Add-DnsServerResourceRecordAAAA -ZoneName $zoneName -Name $recordName -IPv6Address $recordData -TimeToLive (New-TimeSpan -Seconds $ttl)
                }
                "CNAME" { 
                    Add-DnsServerResourceRecordCName -ZoneName $zoneName -Name $recordName -HostNameAlias $recordData -TimeToLive (New-TimeSpan -Seconds $ttl)
                }
                "MX" { 
                    $parts = $recordData -split "\s+"
                    Add-DnsServerResourceRecordMX -ZoneName $zoneName -Name $recordName -Preference $parts[0] -MailExchange $parts[1] -TimeToLive (New-TimeSpan -Seconds $ttl)
                }
                "TXT" { 
                    Add-DnsServerResourceRecordTxt -ZoneName $zoneName -Name $recordName -DescriptiveText $recordData -TimeToLive (New-TimeSpan -Seconds $ttl)
                }
                default {
                    Write-Warning "Unsupported record type: $recordType for $recordName"
                    "WARNING: Unsupported record type: $recordType for $recordName" | Add-Content $importLog
                    $errorCount++
                    return
                }
            }
            $successCount++
            "SUCCESS: Imported $recordType record for $recordName" | Add-Content $importLog
        } catch {
            Write-Warning "Failed to import $recordType record for $recordName`: $($_.Exception.Message)"
            "ERROR: Failed to import $recordType record for $recordName`: $($_.Exception.Message)" | Add-Content $importLog
            $errorCount++
        }
    }
}

Write-Host "Import completed. Success: $successCount, Errors: $errorCount"
Write-Host "Detailed log saved to: $importLog"

Verification: Check the import results and verify specific records:

# Check import statistics
Get-Content "C:\temp\dns_import_log.txt" | Group-Object {$_.Split(':')[0]} | Select-Object Name, Count

# Verify specific record types were imported
Get-DnsServerResourceRecord -ZoneName "contoso.com" -RRType "A" | Select-Object HostName, RecordData
Get-DnsServerResourceRecord -ZoneName "contoso.com" -RRType "MX" | Select-Object HostName, RecordData
07

Configure Post-Restoration Zone Settings

After restoring the DNS zone, you need to configure essential settings to ensure proper operation and security. These settings may not be preserved in backup files.

Configure dynamic update settings based on your environment:

# For Active Directory-integrated zones (recommended for domain controllers)
Set-DnsServerZone -Name "contoso.com" -DynamicUpdate "Secure"

# For standalone DNS servers or specific requirements
Set-DnsServerZone -Name "contoso.com" -DynamicUpdate "NonsecureAndSecure"

# To disable dynamic updates completely
Set-DnsServerZone -Name "contoso.com" -DynamicUpdate "None"

Configure zone transfer security and secondary servers:

# Restrict zone transfers to specific servers
$secondaryServers = @("192.168.1.10", "192.168.1.11")
Set-DnsServerZoneTransfer -Name "contoso.com" -TransferPolicy "TransferToSecureServers" -SecondaryServers $secondaryServers

# Or allow transfers to any server (not recommended for production)
Set-DnsServerZoneTransfer -Name "contoso.com" -TransferPolicy "TransferAnyServer"

# Disable zone transfers completely
Set-DnsServerZoneTransfer -Name "contoso.com" -TransferPolicy "TransferProhibited"

Configure aging and scavenging to prevent stale records:

# Enable aging and scavenging with 7-day intervals
Set-DnsServerZoneAging -ZoneName "contoso.com" -Aging $true -RefreshInterval (New-TimeSpan -Days 7) -NoRefreshInterval (New-TimeSpan -Days 7)

# Configure server-level scavenging
Set-DnsServerScavenging -ScavengingState $true -ScavengingInterval (New-TimeSpan -Days 7)

# Apply aging to existing records if needed
Start-DnsServerScavenging -ZoneName "contoso.com"

Set up zone delegation if you have subdomains:

# Add delegation for subdomain
Add-DnsServerZoneDelegation -ZoneName "contoso.com" -ChildZoneName "subdomain" -NameServer "ns1.subdomain.contoso.com" -IPAddress "192.168.1.20"
Pro tip: Document all configuration changes you make post-restoration. This information should be included in your disaster recovery procedures for future reference.

Verification: Check all configured settings with Get-DnsServerZone -Name "contoso.com" | Format-List and Get-DnsServerZoneTransfer -Name "contoso.com".

08

Test DNS Resolution and Functionality

Thorough testing is crucial to ensure your DNS zone restoration was successful and all services are functioning correctly. This step prevents service disruptions and identifies any issues before users are affected.

Test basic DNS resolution from the local server:

# Test basic A record resolution
nslookup contoso.com localhost
nslookup www.contoso.com localhost

# Test using PowerShell DNS cmdlets
Resolve-DnsName -Name "contoso.com" -Type A -Server localhost
Resolve-DnsName -Name "www.contoso.com" -Type A -Server localhost

# Test MX records for email
Resolve-DnsName -Name "contoso.com" -Type MX -Server localhost

# Test SRV records for services
Resolve-DnsName -Name "_sip._tcp.contoso.com" -Type SRV -Server localhost
Resolve-DnsName -Name "_ldap._tcp.contoso.com" -Type SRV -Server localhost

Test DNS resolution from remote clients:

# Test from a remote client (replace with actual client IP)
$clientIP = "192.168.1.100"
Test-NetConnection -ComputerName $clientIP -Port 53

# Use Invoke-Command to test from remote systems
$credential = Get-Credential
Invoke-Command -ComputerName $clientIP -Credential $credential -ScriptBlock {
    nslookup contoso.com
    Resolve-DnsName -Name "contoso.com" -Type A
}

Perform comprehensive DNS functionality tests:

# Test zone transfer functionality
Get-DnsServerZoneTransfer -Name "contoso.com"

# Test dynamic updates (if enabled)
$testRecord = "test-" + (Get-Date -Format "yyyyMMdd-HHmmss")
Add-DnsServerResourceRecordA -ZoneName "contoso.com" -Name $testRecord -IPv4Address "192.168.1.99" -CreatePtr

# Verify the test record was created
Resolve-DnsName -Name "$testRecord.contoso.com" -Type A

# Clean up test record
Remove-DnsServerResourceRecord -ZoneName "contoso.com" -Name $testRecord -RRType A -Force

Monitor DNS server performance and statistics:

# Check DNS server statistics
Get-DnsServerStatistics | Select-Object TotalQueries, TotalResponses, RecursiveQueries

# Monitor DNS server event logs
Get-WinEvent -LogName "DNS Server" -MaxEvents 10 | Select-Object TimeCreated, Id, LevelDisplayName, Message

# Check zone-specific statistics
Get-DnsServerZone -Name "contoso.com" | Select-Object ZoneName, ZoneType, IsDsIntegrated, IsAutoCreated
Warning: If any DNS tests fail, do not proceed to production use. Investigate and resolve issues immediately, as DNS failures can cause widespread service disruptions.

Verification: All DNS resolution tests should return expected results, and no errors should appear in the DNS Server event log. Run Get-WinEvent -LogName "DNS Server" -Level Error -MaxEvents 5 to check for recent errors.

09

Implement Monitoring and Backup Procedures

After successful restoration, implement monitoring and regular backup procedures to prevent future data loss and ensure quick recovery capabilities.

Set up automated DNS zone backups:

# Create a backup script
$backupScript = @'
# DNS Zone Backup Script
$backupPath = "C:\DNSBackups"
$date = Get-Date -Format "yyyyMMdd-HHmmss"

# Create backup directory if it doesn't exist
if (!(Test-Path $backupPath)) {
    New-Item -ItemType Directory -Path $backupPath -Force
}

# Get all DNS zones and backup each one
Get-DnsServerZone | Where-Object {$_.ZoneType -eq "Primary"} | ForEach-Object {
    $zoneName = $_.ZoneName
    $backupFile = "$backupPath\$zoneName-$date.dns"
    
    try {
        # Export zone to file
        Export-DnsServerZone -Name $zoneName -FileName "$zoneName-$date.dns"
        
        # Copy from DNS directory to backup location
        Copy-Item "C:\Windows\System32\dns\$zoneName-$date.dns" $backupFile
        
        Write-Host "Backed up zone: $zoneName to $backupFile"
    } catch {
        Write-Error "Failed to backup zone $zoneName`: $($_.Exception.Message)"
    }
}

# Clean up old backups (keep last 30 days)
Get-ChildItem $backupPath -Filter "*.dns" | Where-Object {$_.CreationTime -lt (Get-Date).AddDays(-30)} | Remove-Item -Force
'@

# Save the backup script
$backupScript | Out-File "C:\Scripts\DNSBackup.ps1" -Encoding UTF8

Create a scheduled task for automated backups:

# Create scheduled task for daily DNS backups
$action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-ExecutionPolicy Bypass -File C:\Scripts\DNSBackup.ps1"
$trigger = New-ScheduledTaskTrigger -Daily -At "2:00 AM"
$principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount -RunLevel Highest
$settings = New-ScheduledTaskSettingsSet -ExecutionTimeLimit (New-TimeSpan -Hours 1) -RestartCount 3

Register-ScheduledTask -TaskName "DNS Zone Backup" -Action $action -Trigger $trigger -Principal $principal -Settings $settings -Description "Daily backup of DNS zones"

# Verify the task was created
Get-ScheduledTask -TaskName "DNS Zone Backup"

Set up DNS monitoring and alerting:

# Create a DNS monitoring script
$monitorScript = @'
# DNS Monitoring Script
$zones = @("contoso.com", "internal.local")  # Add your zones here
$logFile = "C:\Logs\DNS-Monitor.log"
$errorFound = $false

foreach ($zone in $zones) {
    try {
        # Test zone resolution
        $result = Resolve-DnsName -Name $zone -Type SOA -ErrorAction Stop
        $timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
        "$timestamp - OK: Zone $zone is resolving correctly" | Add-Content $logFile
    } catch {
        $timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
        "$timestamp - ERROR: Zone $zone failed to resolve: $($_.Exception.Message)" | Add-Content $logFile
        $errorFound = $true
    }
}

# Check DNS service status
if ((Get-Service -Name "DNS").Status -ne "Running") {
    $timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
    "$timestamp - CRITICAL: DNS Service is not running!" | Add-Content $logFile
    $errorFound = $true
}

# Send alert if errors found (customize with your alerting method)
if ($errorFound) {
    # Add your alerting logic here (email, SNMP, etc.)
    Write-EventLog -LogName Application -Source "DNS Monitor" -EventId 1001 -EntryType Error -Message "DNS monitoring detected issues. Check $logFile for details."
}
'@

# Save the monitoring script
$monitorScript | Out-File "C:\Scripts\DNSMonitor.ps1" -Encoding UTF8

Create a monitoring scheduled task:

# Create scheduled task for DNS monitoring (every 15 minutes)
$monitorAction = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-ExecutionPolicy Bypass -File C:\Scripts\DNSMonitor.ps1"
$monitorTrigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 15) -RepetitionDuration (New-TimeSpan -Days 365)
$monitorPrincipal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount

Register-ScheduledTask -TaskName "DNS Zone Monitor" -Action $monitorAction -Trigger $monitorTrigger -Principal $monitorPrincipal -Description "Monitor DNS zones every 15 minutes"

# Test the monitoring script immediately
Start-ScheduledTask -TaskName "DNS Zone Monitor"
Pro tip: Store DNS backups in multiple locations, including offsite storage. Consider using cloud storage or network shares to ensure backups survive local hardware failures.

Verification: Check that scheduled tasks are created with Get-ScheduledTask | Where-Object {$_.TaskName -like "*DNS*"} and verify backup files are being created in your designated backup location.

Frequently Asked Questions

What is the correct location for DNS zone backup files in Windows Server?+
DNS zone backup files must be placed in C:\Windows\System32\dns\ (the root directory), not in the backup subfolder. This is the most common mistake that causes restoration failures. Windows DNS Server specifically looks for zone files in this root directory when using the 'Use an existing file' option during zone creation. Always verify the file path before starting the restoration process.
Can I restore a DNS zone without removing the existing zone first?+
No, you cannot restore over an existing zone with the same name. You must either remove the existing zone first using Remove-DnsServerZone or choose a different zone name. However, you can restore individual DNS records to an existing zone using PowerShell methods. Always backup your current zone configuration before removal to enable rollback if needed.
What's the difference between file-based and Active Directory-integrated DNS zone restoration?+
File-based zones store data in text files on the local server and require manual replication to secondary servers. AD-integrated zones store data in Active Directory and automatically replicate across domain controllers. During restoration, you can create a file-based zone first and then convert it to AD-integrated, or create it directly as AD-integrated using the -ReplicationScope parameter in PowerShell.
How do I verify that DNS zone restoration was successful?+
Verify restoration by testing DNS resolution using nslookup and Resolve-DnsName cmdlets, checking zone properties with Get-DnsServerZone, and testing from both local and remote clients. Monitor the DNS Server event log for errors, test zone transfers if configured, and verify that all expected record types (A, MX, SRV, etc.) are resolving correctly. Always test critical services that depend on DNS after restoration.
What should I do if individual DNS records fail to import during PowerShell restoration?+
When using PowerShell for granular record restoration, implement error handling with try-catch blocks and logging. Common causes include incorrect record format, unsupported record types, or permission issues. Review the backup file format to ensure it matches standard DNS syntax, check that the PowerShell execution policy allows the script to run, and verify administrative privileges. Use the detailed import script provided in the tutorial to identify and skip problematic records while continuing with successful imports.
Evan Mael
Written by

Evan Mael

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#dns#windows-server#powershell

Further Intelligence

Deepen your knowledge with related resources

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It
tutorial
Windows

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It

Deep Dive
How to Set PowerShell Execution Policy Using Intune and Group Policy
tutorial
DevOps

How to Set PowerShell Execution Policy Using Intune and Group Policy

Deep Dive
How to Deploy Bitwarden Password Manager Using Microsoft Intune
tutorial
Cybersecurity

How to Deploy Bitwarden Password Manager Using Microsoft Intune

Deep Dive

Discussion

Share your thoughts and insights

Sign in to join the discussion

Sign inCreate account