Backup and Restore AD-Integrated DNS Zones
AD-integrated DNS zones live in the directory database, not in flat .dns files - which means a Windows Server system-state backup catches them but only restores via a full authoritative restore in DSRM. For per-zone recovery (accidental delete, single-zone corruption), the right tool is dnscmd /zoneexport (or Export-DnsServerZone) for backup and the New Zone Wizard + zone-type conversion for restore. This article walks the full round trip: export fortesting.local and _msdcs.fortesting.local to .dns.backup files, simulate the disaster by deleting both zones, restore each as a standard Primary zone via the New Zone Wizard (with the rename-the-backup-file trick the wizard requires), then convert back to AD-integrated and tighten dynamic updates to Secure only. Includes the forest-wide replication-scope gotcha for _msdcs (default is domain-wide after conversion - has to be manually widened to forest), the off-server-copy requirement (the export drops files on the DC's own disk), and the verification commands.