Solved

Server 2003 DNS Scavenging

Posted on 2009-05-20
15
670 Views
Last Modified: 2012-05-07
We've been working the past few months to implement DNS scavenging on 2 production domains. Process we followed was first implemented in DEV successfully and proted to domain1 with great success. Implemented in domain2 approx 30 days ago. Scavenging runs but does not scavenge any records. When viewing timestamps of records there is obviously dated/stale records that should be scavenged. Here was the process we followed:

Turn off scavenging on all servers.  To confirm scavenging won't inadvertently run use the DNSCmd /ZoneResetScavengeServers to confine scavenging to a single server then ensure this server has scavenging disabled.
Turn on scavenging on the zones you wish to scavenge.  Set the refresh and No-refresh intervals as desired 7days/8days.  Left the refresh at the default.
Waited past interval and reviewed aged records. After being satisfied that records had aged correctly and nothing important would be scavenged - we enabled scavenging on single DC.
In first 2 successful attempts/stale records were scavenged and job runs approx every 170hrs.
In unsuccessful attempt on 3rd domain - 2501 appeared in DNS log after time-frame - correct zones were reviewed by device but stale records were not scavenged. Every week since (3) scavenging has run but records are not removed.

Reference site from Technet blogs.
 

http://blogs.technet.com/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be-patient.aspx

Open in new window

0
Comment
Question by:BadFishToo
  • 8
  • 7
15 Comments
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24433308

Each record you're expecting to be Scavenged is showing a Time Stamp more than 15 days old?

Chris
0
 

Author Comment

by:BadFishToo
ID: 24433328
Yes. All records appeared to age correctly. Some time stamps are years old. In our primary domain - following this process - we scavenged 20k records the first run through. Forest has been around for 8 years without ever having scavenging enabled.  - thanks, Shawn
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24433495

For those that are years old, if you open one up does it have the tick box for Scavenge when stale ticked? Might need View / Advanced if you don't have that on already.

It shouldn't really have a time-stamp if it's not going to be scavenged, but it's worth checking.

Chris
0
 

Author Comment

by:BadFishToo
ID: 24433524
Yes "scavenge when stale" is enabled. Also - we actually view the records using a 2008 DNS MGMT console which shows the timestamps from the console.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24433564

Is Scavenging running on the 2008 server?

And is it clearing out records that have been created since?

If its only leaving very old records.... Does the system concerned have rights to delete them? I'd expect "ENTERPRISE DOMAIN CONTROLLERS" to have Full Control and potentially SYSTEM as well.

Chris
0
 

Author Comment

by:BadFishToo
ID: 24433587
No neither scavenging nor DNS is running on a 2008 server. We're just using 2008 MGMT console to view the zones as it shows the timestamps right in the console window rather than drilling down each individual record. Our forest DCs our entirely 2003 standard R2.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24433607

Ahh okay, fair enough, it's a good enough reason to use the tools :)

Still curious if it's cleaning out newer records, and if those it's failing to clean are because of security :)

Chris
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 

Author Comment

by:BadFishToo
ID: 24433665
It's not scavenging any records at all...new or old.

Event Type:      Information
Event Source:      DNS
Event Category:      None
Event ID:      2501
Date:            5/19/2009
Time:            5:31:57 PM
User:            N/A
Computer:      XXXXXX
Description:
The DNS server has completed a scavenging cycle:
Visited Zones     = 26,
Visited Nodes     = 65,
Scavenged Nodes   = 9,
Scavenged Records = 0. <-------HERE
 
This cycle took 0 seconds.
 
The next scavenging cycle is scheduled to run in 168 hours.
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 24434808

This bit puzzles me...

> Visited Nodes     = 65,

You see I have a DNS Server here at home. I have 5 clients using the network (on a busy day) and I have 71 Nodes Visted. I assume you have rather more nodes than me over 26 zones...

Chris
0
 

Author Comment

by:BadFishToo
ID: 24434961
I saw that too - never noticed that until today. I think I have enough to go on thanks. The replication mode here has been changed several times and as a result - there are copies of the zone in several partitions...I think what is happening here is that the DC is attempting to scavenge the "wrong" zone - I needed to review the ForestDNSZones, DomainDNSZones and MicrosoftDNS partitions and clear out what is no longer vailid. Thank you for your help.

Shawn
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24434977

That would make a lot of sense. Presumably you're getting events logged stating that it encountered multiple zones of the same name?

Chris
0
 

Author Comment

by:BadFishToo
ID: 24434992
correct 4515 in DNS log on start-up.
0
 

Author Comment

by:BadFishToo
ID: 24435002
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24435075

Yeah, I know that one :)

I even have a script for listing zones stored in the two main partitions to save myself the bother of opening ADSIEdit ;)

Chris
Option Explicit

 

Function ListDNSZonesInPartition(strPartition)

 

  On Error Resume Next : Err.Clear

  Dim objPartition : Set objPartition = GetObject("LDAP://" & strPartition)

  Dim strReturn

 

  If Err.Number <> 0 Then

 

    strReturn = strReturn & "Error connecting to partition: " & strPartition & vbCrLf

    strReturn = strReturn & "Message: " & Err.Description & vbCrLf

 

  Else

 

    strReturn = strReturn & "Zones stored in partition: " & strPartition & vbCrLf

 

    Dim objMSDNS : Set objMSDNS = GetObject("LDAP://CN=MicrosoftDNS," & _

      objPartition.Get("distinguishedName"))

 

    Dim objZone

    For Each objZone in objMSDNS

      strReturn = strReturn & objZone.Get("name") & vbCrlf

    Next

 

  End If

 

  ListDNSZonesInPartition = strReturn

End Function

 

Dim objRootDSE : Set objRootDSE = GetObject("LDAP://RootDSE")

 

Dim strDomainDNS : strDomainDNS = "DC=DomainDNSZones," & objRootDSE.Get("defaultNamingContext")

WScript.Echo ListDNSZonesInPartition(strDomainDNS)

 

Dim strForestDNS : strForestDNS = "DC=ForestDNSZones," & objRootDSE.Get("rootDomainNamingContext")

WScript.Echo ListDNSZonesInPartition(strForestDNS)

 

Set objRootDSE = Nothing

Open in new window

0
 

Author Comment

by:BadFishToo
ID: 24435098
awesome. Thanks for your help!
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

28 Experts available now in Live!

Get 1:1 Help Now