Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

DNS Scavenging Questions

Posted on 2007-10-09
14
Medium Priority
?
2,638 Views
Last Modified: 2012-08-13
We have a Windows Server 2003 / SP2 domain with AD-Integrated DNS zones.  We are accumulating a number of stale resource records from clients, and are having name resolution issues as a result.  I would like to enable DNS scavenging, but need to make sure I understand exactly how to do this.  I've read a number of articles on this, and based on that, I believe that just turning it on using the default settings (7 days) will work...our DHCP leases are all 8 days.  However, I'm not clear on a couple things.  1)  We have 5 AD-Integrated Primary Zones...only one of which has an issue with duplicate stale records.  Should I enable scavenging just for the one zone, or go with the option to "scavenge all zones"?  And how do I do this?  I've read some articles that say to just enable the options at the zone level...others state that you must select the "Set aging and scavenging for all zones" option on each DNS server along with enabling it at the zone level.  2)  If I must enable scavenging at the DNS server level, do I set the same options on both of our DNS servers, or just configure 1 to do the scavenging?  3)  Do I need to run the AGEALLRECORDS command before turning this on, or will it be OK since they were all already AD-Integrated zones?  Thanks.
0
Comment
Question by:lakeviewmedical
  • 5
  • 4
  • 3
  • +1
14 Comments
 
LVL 7

Accepted Solution

by:
DenisCooper earned 400 total points
ID: 20041720
if i were you i would set scavenging on all servers....it won't hurt to do this....but if you are using AD integegrated DNS then each DNS should have the same records in as they use the replication topoglogy of AD...just set it and leave it to its default....

it may be worth using secure updates only too as this will help with getting duplicates....
0
 
LVL 4

Assisted Solution

by:DeanC30
DeanC30 earned 400 total points
ID: 20041730
Personally I would configure DNS scavenging on ALL DNS servers and on ALL zones.  This way it ensures stale records on all the servers are removed.  The default setting of 7 days for no-refresh and refesh, will do the trick.

However as you currently have issues with stale records, it may be prudent to configure it for 1 day to begin with to ensure minum time before the zone becomes available for scavenging.  You could also runt he "Scavenge stale records" option from the action list.

HTH
0
 

Author Comment

by:lakeviewmedical
ID: 20041919
Thank you for the quick responses...just a couple follow-up questions.  If I follow the steps to "Set Aging and Scavenging properties for the DNS Server", and select the "Set Aging/Scavenging for all Zones" option at this level, is that all I need to do?  Or do I then need to follow the steps to "Set Aging and Scavenging" properties for a zone" in addition to this?  I just need some clarification on the locations of the different options I need to configure...the documentation refers to several different locations and don't clearly explain what scenarios require what settings.  Also, do I need to run the AGEALLRECORDS command on one or both DNS servers prior to enabling this...or should I be OK becasue the zones are all already AD-Integrated?  Thanks.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 4

Expert Comment

by:DeanC30
ID: 20041978
NO DO NOT run ageallrecords.    From my understanding of this utility what it actual does is change the timestamp to the current time.  In other words it will actually make your current stale records valid.  (Denis  can you confirm on this?)

You need to configure it for all zones on the DNS server, and then configure each zone seperately.


0
 
LVL 71

Assisted Solution

by:Chris Dent
Chris Dent earned 200 total points
ID: 20041998

If you set the Aging/Scavenging options for All Zones then you won't need to do it for individual zones, the global setting should overwrite any zone specific setting.

You must enable the scavenging process on at least one DC, that's under the properties for the server then Advanced. I recommend you set the Period to 1 Day. That means that particular server will carry about the scavenging act once a day, picking out records marked as stale according to your Aging settings.

AgeAllRecords is unnecessary in most instances if you're willing to be a little patient, I never like to use it, but that's my personal choice.

The update / refresh date of the record won't start replicating until you've set a zone as Enabled (by ticking Scavenge Stale Records), so don't be surprised if you don't see immediate changes. Be prepared to wait at least the value of your Aging Period (7 + 7 days) before things start to disappear.

Chris
0
 
LVL 7

Expert Comment

by:DenisCooper
ID: 20042008
hi...

this is an exact quote from DNS on Windows Server 2003 by Matt Larson....

"A global setting controld aging and scavenging for the entire DNS server. It's located on the advanced tab of the ser properties window. The scavenging period setting controls how often the server makes a scavenging pass through all authrritaive zones.

Once aging and scaveging has been enabled on a given server, you must still enable it for a particular xone. From the general tab of a zones properties windows, click the aging button. "

Hope this helps - and make sure you leave the default options - just tick the boxes, nothing else....
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 20042109

Just to clarify slightly.

Dean is correct about how AgeAllRecords works. It copies the current timestamp into the associated field for each and every record within the specified zone. That includes any Statically configured records which can be undesirable.

Even with that set the records will not be scavenged until they have aged (again, based on the two aging periods expiring for the record).

Static Records do not normally carry a Timestamp and are, as such, never elligible for scavenging (unless a timestamp is forced as above).

As a side-note, AD's Service Records are automatically Refreshed / Updated once every 24 hours, so unless Aging is set exceptionally low will never be scavenged for a live DC.

Chris
0
 
LVL 4

Expert Comment

by:DeanC30
ID: 20042143
Thanks for the clarification Chris.

And to clarify a little more, the actual "configure server, all zones & then configure the zones themselves"  debate  really comes down to the OS, the DNS zone configuration, and the version.

My advice, and that's all we can offer here, would be to configure the DNS server, then check the zones, if they are configured then job done, if they are not, then not a big job to do it.  

Waiting for the we have 150 zones configured in our environment reply now :-)

HTH lakeviewmedical
0
 

Author Comment

by:lakeviewmedical
ID: 20042627
So just to summarize the steps to take for this:
-  Go through each zone and verify that any static entries do not have the "Delete this record when it becomes stale" box checked.
-  Enable scavenging for all zones at the DNS server level (on both of our DNS servers)...leaving the default settings.
-  At the zone level, set aging parameters...again leaving the defaults.
-  Manually run a scavenging task using the "Scavenge Stale Resource Records" option at the server level.
-  Also at the server level, set automatic scavenging within "Properties / Advanced"...again leaving the default settings.
Is that all there is to it?  And also, we only have 2 Forward Lookup Zones for our facility...along with 3 other zones that are there as a result of zone transfers with a partner organization.  Do I enable scavenging on these zones as well, or just our own?  And after all the changes are implemented, is it required to stop / start the DNS service on each DNS server for the changes to take effect?

Thanks again for all the responses.
0
 
LVL 7

Expert Comment

by:DenisCooper
ID: 20042653
you got it....yes that is all that is required...

i am guessing the other DNS zones you have are secondaries, which in that case you can't write to that zone anyway...but even if its not secondary, best let the owners of the zone to do the scaveaging - im guessing you wou;ldnt have access to it anyway...
0
 

Author Comment

by:lakeviewmedical
ID: 20042785
OK...and do I need to stop/start DNS for the changes to take effect...or will it be in place once I enable it?
0
 
LVL 7

Expert Comment

by:DenisCooper
ID: 20042906
it should take effect straight away....well as soon as the interval kicks in, but starting and stopping it won't hurt.....
0
 

Author Comment

by:lakeviewmedical
ID: 20043242
-  I just thought of one additional question...if I set up both of our DNS servers to do scavenging, and they are both configured to run on the same schedule, won't this cause a conflict?  Is it OK to turn this on on both DNS servers, and go with the same default settings for automatically performing scavenging operations?
0
 
LVL 7

Expert Comment

by:DenisCooper
ID: 20043248
yes, that will be fine...they will deal with the changes accordingcally, and if they both make the same change at exactly the same time, the dc with the highest GUID will win and make the actual change...AD replication is a wonderful thing...
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

579 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question