Solved

Aging And Scavaging on DNS Zone

Posted on 2009-04-01
11
1,013 Views
Last Modified: 2012-05-06
"By default, the aging and scavenging mechanism for the DNS Server service is disabled. It should only be enabled when all parameters are fully understood. Otherwise, the server could be accidentally configured to delete records that should not be deleted. If a record is accidentally deleted, not only will users fail to resolve queries for that record, but any user can create the record and take ownership of it, even on zones configured for secure dynamic update."

Quote from: http://technet.microsoft.com/en-us/library/cc759204.aspx

This all has me worried I need to preform an aging and scavaging task on somezone.local to clear up the dns's association of pc's with i.p address's. Firstly is this the right method to do what I need to do? And secondly if i apply it to a specific zone within my DNS will aging and scavaging effect other zones?

Just want to be secure abut this because we have loads of important dns enteries in other zones i cant afford to lose by mistake.

Thank you in advanced.
0
Comment
Question by:mattskiver
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
11 Comments
 
LVL 71

Accepted Solution

by:
Chris Dent earned 200 total points
ID: 24039873

Hey :)

> Firstly is this the right method to do what I need to do?

Yes.

> And secondly if i apply it to a specific zone within my DNS will aging and scavaging effect other zones?

No, only those where Scavenging has been explicitly enabled (under the Aging button in the properties for each zone).

To help understand Scavenging you could do a lot worse than read this article by MS:

http://blogs.technet.com/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be-patient.aspx

Because this is exactly what you need here and gaining an understanding of how the settings are applied is extremely helpful.

Also, do note that Aging / Scavenging only effects Dynamically added records, it will not touch records you added manually through the GUI in any zone.

Chris
0
 
LVL 39

Assisted Solution

by:ChiefIT
ChiefIT earned 100 total points
ID: 24046661
@ Chris:

I have seen scavaging delete SRV records if the scavaging is set to scavage prior to the TTL of the SRV records. Have you seen this as well?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24047518

Not the TTL, the TTL just dictates how long a record is remembered on a DNS client.

However, if the Refresh Interval is set less than 24 hours; less than the default interval for record Refresh by the NetLogon service, then the service records can be removed by Aging. The same applies for Host (A) and Pointer (PTR) records registered by the DHCP Client service, the default Refresh interval is 24 hours as well. DHCP Client is the service responsible for dynamic updates even if the system in question has static IP configuration.

It's a bit of a different story when DHCP updates on a clients behalf. The Refresh occurs 50% of the way through the lease.

Basically, the shortest value that should be considered for the Refresh Interval is either 24 hours, or 50% of the DHCP Lease, whichever is longest.

Chris
0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 

Author Comment

by:mattskiver
ID: 24048678
Ok from my understanding static records(ones i have entered manualy) should not be deleted, it seems some of the static addresses by default on our server have "delete this record when it becomes stale" option checked.... just to confirm I should remove this if I want to keep the static record?

Also I was looking at Start of Authority & Name Server record which is generated it has a set unchangable date of 01/01/1601 any idea why this is? and the effects on the system if this was removed by scavenging?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24048762

> just to confirm I should remove this if I want to keep the static record?

Correct.

They shouldn't have it ticked if they were added through the GUI, but no matter if you know which you need to keep.

The SOA and NS records are dynamically maintained, you don't need to worry about that one being killed by Scavenging, it won't happen. There's a flag you can set to enable / disable this behaviour, but you'd have to use DNSCMD (AllowNSRecordsAutoCreation).

Chris
0
 

Author Comment

by:mattskiver
ID: 24096844
Hi

Just to clear up when it was said that "There's a flag you can set to enable / disable this behaviour, but you'd have to use DNSCMD (AllowNSRecordsAutoCreation)." do I have to set this to make sure nothing happens to the SOA and NS records?

These will be the steps I will be taking, could someone let me know if it is ok?

1) I will delete any stale DNS record as the DNS needs to be sorted ASAP.

2) Uncheck the "Delete this record when it becomes stale" on any machine/server A records which have a staic IP.

3) There is only one DNS server at the moment so I will turn on scavenging on the one zone i need.
no-referesh interval = 7 days
refresh interval = 7 days

4) Do the sanity check

Things to check if you find old records:

Does an IPConfig /registerdns work?
Who is the owner of the record (see security tab in the record properties)?
Was the record statically created by an admin then later enabled for scavenging?  If so you may need to delete the record to clear ownership and run an IPConfig /registerdns to get it updated.
Is the server replicating OK with AD?
Do not proceed unless you can explain any outdated records.  In the next phase they will be deleted.

5) scavenging setting on the server
right click on server and set "Enable automatic scavenging of stale records"
scavenging period = 7 days.

what does it mean by "The final step is to actually enable scavenging.  Enable scavenging on the single server you used the /ZoneResetScavengServers command on."?

Thanks.


 
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24097681

> do I have to set this to make sure nothing happens to the SOA and NS records?

No, it's present by default.

2. Is unnecessary unless you consider those records at risk. Static clients refresh their records once every 24 hours.

5. I would set that to 1 day. That simply executes the task once a day, it can still only effect records according to your Aging Intervals.

Earlier in the blog it has you use that command to turn off Scavenging wherever it might be running. Feel free to ignore it for a new set-up. You can enable the scavenging task wherever you like, but only do it on one server, only one needs to run that task.

Chris
0
 

Author Comment

by:mattskiver
ID: 24108801
Hi,

Could you explain what does it mean by "The final step is to actually enable scavenging.  Enable scavenging on the single server you used the /ZoneResetScavengServers command on."?

I was going to right click on the sever and set it on the server from there.

I have cleared out quite alot of stale records from the zone. While doing this I have across reverse lookup and there are so many old records there too, do I have to clear these out to and apply aging and Scavenging to that zone too. Nslookup is giving out stale records. Is that because of this? Are there any issues with applying aging and Scavenging to reverse lookup zones.

Thanks.
0
 
LVL 71

Assisted Solution

by:Chris Dent
Chris Dent earned 200 total points
ID: 24135889

> I was going to right click on the sever and set it on the server from there.

That's absolutely fine :)

Ideally you'll want to configure Aging on all dynamically updating zones (Forward Lookup and Reverse Lookup). It is why nslookup will be returning old results.

Chris
0

Featured Post

IoT Devices - Fast, Cheap or Secure…Pick Two

The IoT market is growing at a rapid pace and manufacturers are under pressure to quickly provide new products. Can you be sure that your devices do what they're supposed to do, while still being secure?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Learn how to PXE Boot both BIOS & UEFI machines with DHCP Policies and Custom Vendor Classes
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question