Solved

Aging And Scavaging on DNS Zone

Posted on 2009-04-01
11
978 Views
Last Modified: 2012-05-06
"By default, the aging and scavenging mechanism for the DNS Server service is disabled. It should only be enabled when all parameters are fully understood. Otherwise, the server could be accidentally configured to delete records that should not be deleted. If a record is accidentally deleted, not only will users fail to resolve queries for that record, but any user can create the record and take ownership of it, even on zones configured for secure dynamic update."

Quote from: http://technet.microsoft.com/en-us/library/cc759204.aspx

This all has me worried I need to preform an aging and scavaging task on somezone.local to clear up the dns's association of pc's with i.p address's. Firstly is this the right method to do what I need to do? And secondly if i apply it to a specific zone within my DNS will aging and scavaging effect other zones?

Just want to be secure abut this because we have loads of important dns enteries in other zones i cant afford to lose by mistake.

Thank you in advanced.
0
Comment
Question by:mattskiver
  • 5
  • 3
11 Comments
 
LVL 70

Accepted Solution

by:
Chris Dent earned 200 total points
Comment Utility

Hey :)

> Firstly is this the right method to do what I need to do?

Yes.

> And secondly if i apply it to a specific zone within my DNS will aging and scavaging effect other zones?

No, only those where Scavenging has been explicitly enabled (under the Aging button in the properties for each zone).

To help understand Scavenging you could do a lot worse than read this article by MS:

http://blogs.technet.com/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be-patient.aspx

Because this is exactly what you need here and gaining an understanding of how the settings are applied is extremely helpful.

Also, do note that Aging / Scavenging only effects Dynamically added records, it will not touch records you added manually through the GUI in any zone.

Chris
0
 
LVL 38

Assisted Solution

by:ChiefIT
ChiefIT earned 100 total points
Comment Utility
@ Chris:

I have seen scavaging delete SRV records if the scavaging is set to scavage prior to the TTL of the SRV records. Have you seen this as well?
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

Not the TTL, the TTL just dictates how long a record is remembered on a DNS client.

However, if the Refresh Interval is set less than 24 hours; less than the default interval for record Refresh by the NetLogon service, then the service records can be removed by Aging. The same applies for Host (A) and Pointer (PTR) records registered by the DHCP Client service, the default Refresh interval is 24 hours as well. DHCP Client is the service responsible for dynamic updates even if the system in question has static IP configuration.

It's a bit of a different story when DHCP updates on a clients behalf. The Refresh occurs 50% of the way through the lease.

Basically, the shortest value that should be considered for the Refresh Interval is either 24 hours, or 50% of the DHCP Lease, whichever is longest.

Chris
0
 

Author Comment

by:mattskiver
Comment Utility
Ok from my understanding static records(ones i have entered manualy) should not be deleted, it seems some of the static addresses by default on our server have "delete this record when it becomes stale" option checked.... just to confirm I should remove this if I want to keep the static record?

Also I was looking at Start of Authority & Name Server record which is generated it has a set unchangable date of 01/01/1601 any idea why this is? and the effects on the system if this was removed by scavenging?
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

> just to confirm I should remove this if I want to keep the static record?

Correct.

They shouldn't have it ticked if they were added through the GUI, but no matter if you know which you need to keep.

The SOA and NS records are dynamically maintained, you don't need to worry about that one being killed by Scavenging, it won't happen. There's a flag you can set to enable / disable this behaviour, but you'd have to use DNSCMD (AllowNSRecordsAutoCreation).

Chris
0
 

Author Comment

by:mattskiver
Comment Utility
Hi

Just to clear up when it was said that "There's a flag you can set to enable / disable this behaviour, but you'd have to use DNSCMD (AllowNSRecordsAutoCreation)." do I have to set this to make sure nothing happens to the SOA and NS records?

These will be the steps I will be taking, could someone let me know if it is ok?

1) I will delete any stale DNS record as the DNS needs to be sorted ASAP.

2) Uncheck the "Delete this record when it becomes stale" on any machine/server A records which have a staic IP.

3) There is only one DNS server at the moment so I will turn on scavenging on the one zone i need.
no-referesh interval = 7 days
refresh interval = 7 days

4) Do the sanity check

Things to check if you find old records:

Does an IPConfig /registerdns work?
Who is the owner of the record (see security tab in the record properties)?
Was the record statically created by an admin then later enabled for scavenging?  If so you may need to delete the record to clear ownership and run an IPConfig /registerdns to get it updated.
Is the server replicating OK with AD?
Do not proceed unless you can explain any outdated records.  In the next phase they will be deleted.

5) scavenging setting on the server
right click on server and set "Enable automatic scavenging of stale records"
scavenging period = 7 days.

what does it mean by "The final step is to actually enable scavenging.  Enable scavenging on the single server you used the /ZoneResetScavengServers command on."?

Thanks.


 
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

> do I have to set this to make sure nothing happens to the SOA and NS records?

No, it's present by default.

2. Is unnecessary unless you consider those records at risk. Static clients refresh their records once every 24 hours.

5. I would set that to 1 day. That simply executes the task once a day, it can still only effect records according to your Aging Intervals.

Earlier in the blog it has you use that command to turn off Scavenging wherever it might be running. Feel free to ignore it for a new set-up. You can enable the scavenging task wherever you like, but only do it on one server, only one needs to run that task.

Chris
0
 

Author Comment

by:mattskiver
Comment Utility
Hi,

Could you explain what does it mean by "The final step is to actually enable scavenging.  Enable scavenging on the single server you used the /ZoneResetScavengServers command on."?

I was going to right click on the sever and set it on the server from there.

I have cleared out quite alot of stale records from the zone. While doing this I have across reverse lookup and there are so many old records there too, do I have to clear these out to and apply aging and Scavenging to that zone too. Nslookup is giving out stale records. Is that because of this? Are there any issues with applying aging and Scavenging to reverse lookup zones.

Thanks.
0
 
LVL 70

Assisted Solution

by:Chris Dent
Chris Dent earned 200 total points
Comment Utility

> I was going to right click on the sever and set it on the server from there.

That's absolutely fine :)

Ideally you'll want to configure Aging on all dynamically updating zones (Forward Lookup and Reverse Lookup). It is why nslookup will be returning old results.

Chris
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This video discusses moving either the default database or any database to a new volume.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now