Deleted AD zone
In the event that someone accidentally deletes the AD domain zone (which is remarkably easy to do with the standard Microsoft AD tools and much has been written about ways to restore it on Windows servers, depending on how long before you notice that's what happened) your domain will cease to function correctly, more or less entirely for machines outside the primary LAN. Services using LDAP auth should continue to work as normal.
All is not lost though, and restoring the zone and domain functionality will not take long and does not require that you have any backups.
NB this is based on a real world successful recovery and has not been "lab tested"; the domain in question was using the internal DNS server.
- Recreate the zone with
samba-tool dns zonecreate A-DC domain.local -U admin.username
where in the test case A-DC was what we think of in old-fashioned terms as the PDC e.g. has the FSMO roles - may or may not be relevant, only some lab testing will tell.
The zone starts to populate itself fairly quickly with stuff from the LAN.
- On the other DCs restart samba
service samba-ad-dc restart
That gets the zone recreated on the DCs, and they start to replicate the info from A-DC, and populate with local machines a little while later (you can check progress with
samba-tool dns query this-DC domain.local @ ALL -U admin.username
- You then get the DCs all joined up again (getting their A records to appear in the zone) by running
samba_dnsupdate --verbose --use-samba-tool --rpc-server-ip ip.of.each.dc --all-names
It's possible you only need to run the above from each DC to one other (the A-DC) above and then it will all just replicate, but in the real world recovery process we went belt and braces and did it from each DC to each other DC.
At this point recovery back to normal function is just a matter of time, and not a very long time in our example; no more issues were reported after 15 minutes of this process being completed (3 sites, a few hundred clients and 7 DCs).