Solved

Aging And Scavaging on DNS Zone

Posted on 2009-04-01
11
986 Views
Last Modified: 2012-05-06
"By default, the aging and scavenging mechanism for the DNS Server service is disabled. It should only be enabled when all parameters are fully understood. Otherwise, the server could be accidentally configured to delete records that should not be deleted. If a record is accidentally deleted, not only will users fail to resolve queries for that record, but any user can create the record and take ownership of it, even on zones configured for secure dynamic update."

Quote from: http://technet.microsoft.com/en-us/library/cc759204.aspx

This all has me worried I need to preform an aging and scavaging task on somezone.local to clear up the dns's association of pc's with i.p address's. Firstly is this the right method to do what I need to do? And secondly if i apply it to a specific zone within my DNS will aging and scavaging effect other zones?

Just want to be secure abut this because we have loads of important dns enteries in other zones i cant afford to lose by mistake.

Thank you in advanced.
0
Comment
Question by:mattskiver
  • 5
  • 3
11 Comments
 
LVL 70

Accepted Solution

by:
Chris Dent earned 200 total points
ID: 24039873

Hey :)

> Firstly is this the right method to do what I need to do?

Yes.

> And secondly if i apply it to a specific zone within my DNS will aging and scavaging effect other zones?

No, only those where Scavenging has been explicitly enabled (under the Aging button in the properties for each zone).

To help understand Scavenging you could do a lot worse than read this article by MS:

http://blogs.technet.com/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be-patient.aspx

Because this is exactly what you need here and gaining an understanding of how the settings are applied is extremely helpful.

Also, do note that Aging / Scavenging only effects Dynamically added records, it will not touch records you added manually through the GUI in any zone.

Chris
0
 
LVL 38

Assisted Solution

by:ChiefIT
ChiefIT earned 100 total points
ID: 24046661
@ Chris:

I have seen scavaging delete SRV records if the scavaging is set to scavage prior to the TTL of the SRV records. Have you seen this as well?
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24047518

Not the TTL, the TTL just dictates how long a record is remembered on a DNS client.

However, if the Refresh Interval is set less than 24 hours; less than the default interval for record Refresh by the NetLogon service, then the service records can be removed by Aging. The same applies for Host (A) and Pointer (PTR) records registered by the DHCP Client service, the default Refresh interval is 24 hours as well. DHCP Client is the service responsible for dynamic updates even if the system in question has static IP configuration.

It's a bit of a different story when DHCP updates on a clients behalf. The Refresh occurs 50% of the way through the lease.

Basically, the shortest value that should be considered for the Refresh Interval is either 24 hours, or 50% of the DHCP Lease, whichever is longest.

Chris
0
 

Author Comment

by:mattskiver
ID: 24048678
Ok from my understanding static records(ones i have entered manualy) should not be deleted, it seems some of the static addresses by default on our server have "delete this record when it becomes stale" option checked.... just to confirm I should remove this if I want to keep the static record?

Also I was looking at Start of Authority & Name Server record which is generated it has a set unchangable date of 01/01/1601 any idea why this is? and the effects on the system if this was removed by scavenging?
0
DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

 
LVL 70

Expert Comment

by:Chris Dent
ID: 24048762

> just to confirm I should remove this if I want to keep the static record?

Correct.

They shouldn't have it ticked if they were added through the GUI, but no matter if you know which you need to keep.

The SOA and NS records are dynamically maintained, you don't need to worry about that one being killed by Scavenging, it won't happen. There's a flag you can set to enable / disable this behaviour, but you'd have to use DNSCMD (AllowNSRecordsAutoCreation).

Chris
0
 

Author Comment

by:mattskiver
ID: 24096844
Hi

Just to clear up when it was said that "There's a flag you can set to enable / disable this behaviour, but you'd have to use DNSCMD (AllowNSRecordsAutoCreation)." do I have to set this to make sure nothing happens to the SOA and NS records?

These will be the steps I will be taking, could someone let me know if it is ok?

1) I will delete any stale DNS record as the DNS needs to be sorted ASAP.

2) Uncheck the "Delete this record when it becomes stale" on any machine/server A records which have a staic IP.

3) There is only one DNS server at the moment so I will turn on scavenging on the one zone i need.
no-referesh interval = 7 days
refresh interval = 7 days

4) Do the sanity check

Things to check if you find old records:

Does an IPConfig /registerdns work?
Who is the owner of the record (see security tab in the record properties)?
Was the record statically created by an admin then later enabled for scavenging?  If so you may need to delete the record to clear ownership and run an IPConfig /registerdns to get it updated.
Is the server replicating OK with AD?
Do not proceed unless you can explain any outdated records.  In the next phase they will be deleted.

5) scavenging setting on the server
right click on server and set "Enable automatic scavenging of stale records"
scavenging period = 7 days.

what does it mean by "The final step is to actually enable scavenging.  Enable scavenging on the single server you used the /ZoneResetScavengServers command on."?

Thanks.


 
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24097681

> do I have to set this to make sure nothing happens to the SOA and NS records?

No, it's present by default.

2. Is unnecessary unless you consider those records at risk. Static clients refresh their records once every 24 hours.

5. I would set that to 1 day. That simply executes the task once a day, it can still only effect records according to your Aging Intervals.

Earlier in the blog it has you use that command to turn off Scavenging wherever it might be running. Feel free to ignore it for a new set-up. You can enable the scavenging task wherever you like, but only do it on one server, only one needs to run that task.

Chris
0
 

Author Comment

by:mattskiver
ID: 24108801
Hi,

Could you explain what does it mean by "The final step is to actually enable scavenging.  Enable scavenging on the single server you used the /ZoneResetScavengServers command on."?

I was going to right click on the sever and set it on the server from there.

I have cleared out quite alot of stale records from the zone. While doing this I have across reverse lookup and there are so many old records there too, do I have to clear these out to and apply aging and Scavenging to that zone too. Nslookup is giving out stale records. Is that because of this? Are there any issues with applying aging and Scavenging to reverse lookup zones.

Thanks.
0
 
LVL 70

Assisted Solution

by:Chris Dent
Chris Dent earned 200 total points
ID: 24135889

> I was going to right click on the sever and set it on the server from there.

That's absolutely fine :)

Ideally you'll want to configure Aging on all dynamically updating zones (Forward Lookup and Reverse Lookup). It is why nslookup will be returning old results.

Chris
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have a multi-homed DNS setup in windows, you can have issues with connectivity to the server that hosts the DNS services (or even member servers of your domain if this same DNS server is a DC). This is because windows registers all of its IPs…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now