Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1662
  • Last Modified:

How to check out our DNS replication and clear the cache and stale records if they exist?

We were told to look into our DNS replication and remove any stale records.
We are a small-medium sized business with 3 branch locations.
Please ask whatever questions you have and I will get back to you promptly.
There is 1 domain controller in 2 of the branches and 2 more domain controllers in the main branch (where I work).
Thanks in advance.
0
homerslmpson
Asked:
homerslmpson
  • 5
  • 4
1 Solution
 
Chris DentPowerShell DeveloperCommented:

Active Directory?
Do you use DHCP? If so, how long is the Lease?
Does DHCP update DNS for you (this is the default setting, so if you haven't changed anything it will)?
If DHCP updates DNS, do you have more than one DHCP server?
Have you configured Aging / Scavenging at all?

Chris
0
 
homerslmpsonAuthor Commented:
Active Directory? YES
Do you use DHCP? If so, how long is the Lease? YES, the lease is 8 days
Does DHCP update DNS for you (this is the default setting, so if you haven't changed anything it will)? All 4 DHCP servers are set to the following option:
"Dynamically update DNS A and PTR records only if requested by DHCP clients"
If DHCP updates DNS, do you have more than one DHCP server? There are 4 DHCP servers total (2 in the main branch and 1 in each of the 2 branch locations)
Have you configured Aging / Scavenging at all? I just checked all 4 servers and none of them seem to have that option enabled

Thanks in advance for your help.
0
 
Chris DentPowerShell DeveloperCommented:

Do your clients move between sites at all? If they do, we should configure DHCP to use specific credentials when updating DNS, otherwise each DHCP server won't be able to change records created by other DHCP servers.

Aging and Scavenging is our cleanup process, it'll take a while to configure, but you have nothing really unusual. I would enable 3 Days No-Refresh and 5 Days Refresh on each zone where records are being added (and tick the box at the top that enables the zone for Scavenging). That makes a total of 8 days before a record can become Stale (and be Scavenged), matches up nicely with the DHCP Lease Time.

Once the settings are in you need one of your DNS servers to run the Scavenging process, this is set in the DNS console, Properties for the server under the Advanced Tab. I recommend setting the Scavenging Interval to 1 day (so it runs the task once a day).

It's not quite as straight-forward as that, even then it won't clean out anything immediately. This article from the MS guys does a good job of explaining the settings and how they work together:

http://blogs.technet.com/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be-patient.aspx

It's well worth reading. If it raises any questions about the process then I'll happily expand on it.

Chris
0
Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

 
homerslmpsonAuthor Commented:
OK I followed all of the steps you mentioned above.

I also right-clicked on each server and selected SCAVENGE STALE RESOURCE RECORDS on each server as well.

I don't know if that was beneficial or harmful.

Any final thoughts?

Thanks for your help, I really appreciate it.
0
 
Chris DentPowerShell DeveloperCommented:

You only want to make these changes on one server.

Changes made to each zones Aging will automatically replicate to all other DNS servers.
Only one server should be running the Scavenging task (Server Properties / Advanced / Enable Automatic Scavenging of Stale Records)

Enabling it on a single server prevents confusion, changes made by that server are replicated to the others.

Chris
0
 
homerslmpsonAuthor Commented:
OK. I have made only 1 server responsible for the scavenging task.
I also unchecked the aging box on the other 3 servers as well.

Was it OK that I did this:
"I also right-clicked on each server and selected SCAVENGE STALE RESOURCE RECORDS on each server as well."

When setting up the aging on the one server I also checked the box that says:
APPLY THESE SETTINGS TO THE EXISTING ACTIVE DIRECTORY-INTEGRATED ZONES.

Was this OK?

Thanks again!
0
 
Chris DentPowerShell DeveloperCommented:

You have a few options that are getting confused here:

1. Set Aging\Scavenging for all zones

You find this option by right clicking on the server in the DNS console. You can use this option to configure Aging for all zones on a server.

Aging can be deselected on individual zones after this has been used if required.

2. Zone Properties / Aging

Found by opening the Properties for an individual zone, then clicking the Aging button. If you have a mixture of zones and you only want to use Aging / Scavenging on a small number of them.

If you set these via 1 it will overwrite the settings here.

Clearing the setting from here on any DNS server will cause the change to replicate to all DNS server hosting the zone. That means if you cleared the setting on one of the three DCs it will replicate to the other two. Make sure yours is still set.

Check yours are still enabled because unticking it on the other two should replicate to the third DC.

3. Enable Scavenging / Scavenging Interval

Found in the Server Properties under the Advanced Tab. This sets up a server to perform the cleaning task, without this one the other settings are just aesthetic (look pretty).

This one should be set on a single server, only one needs to be running this task.

Chris
0
 
homerslmpsonAuthor Commented:
OK so:

1. Set Aging\Scavenging for all zones I DID ON ALL SERVERS

I skipped 2.

3. Enable Scavenging / Scavenging Interval I DID ON ONLY 1 SERVER

Is this correct?


0
 
Chris DentPowerShell DeveloperCommented:

Great, that's absolutely fine :-D

Chris
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now