Solved

dns scavenging logging

Posted on 2010-11-15
23
2,906 Views
Last Modified: 2012-06-27
I get the following event log information.  Is there a log I can open to see what records have been scavenged?  Thanks in advance.

The DNS server has completed a scavenging cycle:
Visited Zones     = 21,
Visited Nodes     = 1110,
Scavenged Nodes   = 55,
Scavenged Records = 49.
 
This cycle took 0 seconds.
0
Comment
Question by:escreen
  • 8
  • 7
  • 5
  • +1
23 Comments
 
LVL 5

Expert Comment

by:BatchV
ID: 34141037
What version of server are you running?
0
 
LVL 1

Author Comment

by:escreen
ID: 34141609
Server 2003.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34143227

You could increase the level of audit logging, catch changes to the dnsTombstoned property for objects in your DNS zone. That'll log entries to the Security Log (if you have Audit Logging enabled in policy). It will not be entirely clear though, certainly not a nice concise list.

Chris
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 5

Expert Comment

by:BatchV
ID: 34143620
You could edit the registery to log all events in DNS. Link below gives details
http://technet.microsoft.com/en-us/library/cc782080(WS.10).aspx
0
 
LVL 30

Expert Comment

by:Rich Weissler
ID: 34144336
@BatchV -- increasing the logging of events to include information only provides the summary information.  The 2501 message reported by the user is already an Information level message.  (The best additional logging I thought might include the level of detail the user is looking for might be Debug Logging -- but my servers are all handing tens to hundreds of thousands of requests per hour, and I'm nervous turning on THAT level of debugging.)
0
 
LVL 5

Expert Comment

by:BatchV
ID: 34146576
Apart from this I don't really think you have much choice with this issue.
0
 
LVL 1

Author Comment

by:escreen
ID: 34146754
The DNS server is already set to log all events and I do not see any information in the logs about scavenging.  Really seems wierd that Microsoft would tell you how many nodes it scavenged and not log that information anywhere...  Any other ideas?

The reason why I want to find this out is that I have had some DNS entries disappeard and the only thing I can think of that may have removed them is scavenging.

Thanks!
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34147076

Maybe you could just pull a list of records using the LDAP Filter (dnsTombstoned=TRUE)?

Given that "deleted" records are kept in that state for 14 days (by default, defined by dsTombstoneInterval) you won't find there's much more than the most recently deleted set listed.

That would fairly trivially tell you what was deleted if not when.

Chris
0
 
LVL 5

Expert Comment

by:BatchV
ID: 34147336
I agree with Chris-Dent LDAP filter can provide you with some of the details
0
 
LVL 1

Author Comment

by:escreen
ID: 34147389
I would agree that it tell me what has been deleted, but the problem is that would still not tell what deleted it.  It would not differentiate between a person manually deleted a record and the scanvenging process deleting a record.  Do you agree or am I missing something?

I know that I have missing DNS records at this point, I need to find out what deleted them.

Thanks.
0
 
LVL 5

Expert Comment

by:BatchV
ID: 34147495
to delete manually you would need domain administrators rights.
0
 
LVL 1

Author Comment

by:escreen
ID: 34147873
Yes, or delegated rights. I am not sure where you are going with that though.
0
 
LVL 30

Accepted Solution

by:
Rich Weissler earned 300 total points
ID: 34148256
@escreen -- I think it boils down to -- "No, there isn't an additional log that can be opened to view more details about what actions dns scavenger has taken."  I believe what folks are attempting to provide are alternate methods of obtaining similar information from other sources.
0
 
LVL 70

Assisted Solution

by:Chris Dent
Chris Dent earned 200 total points
ID: 34148326

Start off with the basics. Were these records for servers that ordinarily register dynamically?

If so, are you certain that they *are* registering and refreshing themselves correctly? Check they register in the first place with "ipconfig /registerdns", check the DHCP Client is running (it must be, despite the service name), and check your systems DNS server settings. If those check out, check the Aging intervals, less than 24 hours on the Refresh Interval and you'll see this happen on occasion.

If they are static records you can immediately rule out Scavenging and you're left with bugs (such a zone corruption), or, more likely, user error. You won't catch that retroactively, you'd need auditing enabled in advance.

Chris
0
 
LVL 1

Author Comment

by:escreen
ID: 34148574
Thanks Razmus, that is really what I am looking for to be honest.

They are statically entered DNS entries and should not have been removed by Scavenging, but that does not mean that they weren't.  There are not many administrators that have the ability to remove these entries so I do not think it was user error, but that does not mean that it wasn't.  We did not loose that whole zone, so I do not think it is corruption.

I guess I will just enable auditing and hope it gives me the information I need to narrow this down more.

Thanks.
0
 
LVL 1

Author Closing Comment

by:escreen
ID: 34148617
Answer does answer my question but does not solve my problem.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34148804
> Scavenging, but that does not mean that they weren't.  

It does, but I'll conceed that the operation of the scavenging process is a black box, claiming absolute certainty there is difficult. Statically added entries get a TimeStamp value of 0, the scavenging process explicitly ignores records with a TimeStamp value of 0.

Unfortunately, the change to deleted state for the record wipes out most of the dnsRecord attribute, making it impossible to determine what timestamp (if any) was set on the record immediately prior to deletion. It's the change to dnsRecord that makes the record invisible within the zone, the object still exists in the directory.

Briefly touching on corruption, this can occur when conflicting objects exist in Active Directory. This isn't always obvious, and rarely means that everything in the zone is corrupt. If this occurs again I urge you to check using ADSIEdit, conflicts will be prefixed with CNF:. Or you might check anyway, not a big or risky task.

I did think of one more. It is possible for a static record to be overwritten by a dynamic one, although I consider it to be unlikely than the other two options. For that to happen a number of conditions have to be true:

 - DHCP updating DNS for clients
 - DHCP is running on a DC without defined credentials or DHCP is running and using credentials of a privileged account to update (both are bad)
 - Someone logs a computer onto the network with the same name and DNS suffix as the removed name

I'm sure you can see why I believe it to be unlikely, there are a lot of conditions there. But it's worth considering if you're clutching at straws :)

In the end, enabling auditing is the best bet if you're worried about this happening again. I would try watching for changes to the dnsTombstoned property (rather than trying to catch delete, or similar), you should check that change flags a username in the security log when a record is removed.

Chris
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34148812
escreen,

Do note that by setting a grade of C for this you are effectively blaming us for the design of the DNS system by MS. Each of us attempted to provide you with help and support within the constraints of the system. Assigning us a grade C on that basis is really quite rude.

Chris
0
 
LVL 1

Author Comment

by:escreen
ID: 34148859
Oh, I thought that was average... Sorry...  LOL...  I did not know C was bad...  My bad.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34148954
Usage of the grades is defined here:

http://www.experts-exchange.com/help.jsp#hs=29&hi=403

And the scenario this falls under here:

http://www.experts-exchange.com/help.jsp#hs=29&hi=405

If you feel it prudent I would push for a change to the grade, mainly because I don't like seeing C's in my history ;)

http://www.experts-exchange.com/help.jsp#hs=29&hi=404

Chris
0
 
LVL 1

Author Comment

by:escreen
ID: 34149017
I submitted the request, hopefully they will change it.  Thanks anyhow for the help.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34149029

No worries, hopefully next time we'll be able to provide something more constructive :)

Chris
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Home Optimum Online Internet timeout problems. DNS issue? 36 1,988
Public DNS 2 45
Changing Web Hosts: Need Your Expert Opinion & Ideas 6 34
DNS Server 7 22
I will assume you are running a non-server version of some sort of Windows throughout this article. There are many flavors of Windows since Windows Server 2000 - 2008, XP Home & Pro, Vista Home & Pro, and Windows 7 Starter, Home, Pro, Ultimate, etc.…
I wrote this article to explain some important DNS concepts that should be known to avoid some typical configuration errors I often see in forums. I assume that what is described here is the typical behavior of Microsoft DNS client. I don't know …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question