Link to home
Start Free TrialLog in
Avatar of YMartin
YMartin

asked on

DNS scavenge stale records

Scavenging was never enabled on our DNS server. It has numerous invalid records - some 6 months to 2 years old.  I want to get rid of them. To avoid having to delete them manually and to avoid the problem in the future, I want to see how scavenging works.
I set aging/scavenging properties for all zones; I right clicked on the zone that I want to target, chose properties and clicked the "aging" button on the General Tab and did the same. Went back to the server and ran "scavenge stale resource records"; clicked "Yes". Nothing happened. (though I see that the zone can be scavenged on 9/28)
Do I have to wait weeks to see if this is going to work? or did it already run and not work?
Found one blog that recommends against ever running Dnscmd.exe /AgeAllRecords. Found another that says records from before scavenging is enable won't ever be deleted unless I run AgeAllRecords.
When I ran  "scavenge stale resource records" - did it scavenge the stale records right then or just schedule it to run in 7 days?
Will it (by default) delete the ancient records or do I have to choose between running AgeAllRecords or manually deleting the old stuff?
Avatar of DrDave242
DrDave242
Flag of United States of America image

Here's the best article on scavenging I've run across.  It's pretty lengthy, but it explains everything well:

http://blogs.technet.com/b/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be-patient.aspx
Avatar of YMartin
YMartin

ASKER

That is the one I read to set up scavenging - and is the one that recommends against running "Dnscmd.exe /AgeAllRecord". It doesn't mention that records from before enabling scavenging will not be scavenged; but I found another article that did. The article that you recommend also advises to be patient - always thought that being patient was over-rated. I would like to find out before the end of the month (or the middle of the next month) whether or not the records created before enabling will be deleted.
The main reason dnscmd /ageallrecords is a bad idea is that it timestamps all of your records (except NS, SOA, and WINS forward lookup records), making all of them available for scavenging - including any records you may have created as static because you didn't want them scavenged.  And once that timestamp is on there, it's irreversible; if you want those records to go back to being static, you have to delete and recreate them.

What do you have configured for the refresh and no-refresh intervals?
When you first set up Aging the zone is locked for the value of the Refresh Interval so it has time to completely sort itself out. Only after that has passed will it remove records.

You can see that date value if you select View, Advanced then re-open the Aging properties (it'll show a new box towards the bottom). Once that date has passed the value will change again, incrementing by whatever interval you defined for automatic scavenging (Server Properties / Advanced).

That's mostly why you have to be patient, it's not an instant or quick process, it's slow and careful.

Chris
The article does not seem to cover DNS record permissions, something that's caused us problems with scavenging. If you're using DHCP, you have a choice of letting the DDNS clients make entries in the DNS server, or having the DHCP server do so on their behalf. The resulting DNS records are owned by whoever created them, and the common mistake is wondering why the DHCP server scavenging doesn't delete aged records, when in fact it cannot because they're owned by the DDNS clients, who are expected to clear them when they release a lease. In our case, there are many situations where the clients don't do this, and the orphaned records accumulate.

Disabling the DDNS in the client resolves this problem in the future, but the old records have to be purged some other way (ie. manually).
DNS Server Scavenging will delete dynamic records regardless of source, it doesn't matter at all if those records were registered by DNS or the Client directly.

The most common problem you encounter in mixed environments, where DHCP updates for some networks, but not all, is duplicate records. Clients cannot update records created by the DHCP server because the client has no rights. However, it's important to note that this has no effect on Scavenging.

Chris
There seems to be a lot of confusion surrounding the proper configuration of DNS, DHCP, and scavenging. We have addresses in our DNS server that have 20 PTR records of which only one is valid. The suggestions I've read indicate it's a permissions problems when DDNS clients create their own A records, and perhaps (as Chris Dent suggests) sometimes try to delete PTR records created by the DHCP server. But it seems to me that the DHSP server should still be able to kee DNS server up to date with leases. Is there a definitive guideline available describing how to set up a DHCP  environment to ensure the DNS server remains clean, rather than relying on periodic scavenging runs, which seems to be a bandaid solution. Personally, I'd expect the DHCP server to always delete A and PTR records when a lease is expired.

The multiple PTR records can cause s lot of grief for applications that do a first-pass client connection security check involving checking to see if the IP address is defined in a DNS server.
If you're in a situation where DHCP can always update for clients, then all you need do is configure all servers with credentials so every DHCP server can update any record created by any server.

I'm not in that position, we have a big mix of DHCP servers, and because of that it's far easier to stop DHCP updating DNS entirely and let the client handle it. That way I gain consistency, all clients can update wherever they are and we never need worry about DHCP owning a record.

Scavenging still has a part to play, DHCP isn't great at cleaning up DNS records (especially in a multi-DHCP-server environment), and arguably, it's not the job of DHCP to keep DNS up to date (on that scale). If lease times are consistent across all servers, and Aging is well configured in DNS that isn't a problem though.

Chris
I don't mean to hijack the question, but what are reasonable settings for DNS aging, dhcp lease duration, etc. in a mixed environment. There appear to be lots of horror stories (us included) of scavenge deleting valid records, and of it not deleting extra PTR records. The explanations I've read include incorrectly-configured clients updating static records which later get scavenged, and solutions typically center around disabling client updates.

I've worked in an environment where the extra PTR records in a DNS server contained unresolvable names. One of the apps does a reverse lookup on the PTR record, and then a forward lookup on the returned name to see if it matches the client IP address. Normally, this was not a problem until their secondary DNS server failed, introducing a 5-10 second delay in the client waiting for DNS server response to time out. When there were half a dozen extra PTR records to be searched, the resulting 30 second delay exceeded the client application's connection timeout, causing it to fail.

So what are the correct settings for DHCP, DNS, and client policies for DDNS, to keep this problem to a minimum while addressing concerns many people seem to have about both the effectiveness of scavenging, as well as the risks that it will age and delete incorrect records.
Ideally, make the sum of No-Refresh and Refresh match the DHCP Lease.

For example, if I were dealing with a DHCP lease of 8 days I might set:

No-Refresh: 4 Days
Refresh: 4 Days

You can skew them in favour of Refresh if you like, allowing things a bit more time. It won't do anything to the overall lifespan, but may make for increased happiness.

Then you need to throw Automatic Scavenging into the equation, when that runs is more dependant on the size of your organisation than anything else. For small organisations, really anything less than 5 - 10 thousand I tend to recommend running it once a day. Lets assume that's the case here, so:

Automatic Scavenging Interval: 1 Day

With all those you have:

DHCP Lease Minimum: 8 Days
DHCP Lease lifespan increments by: 4 Days (effective, client attempts to renew at 50% of lease)

DNS Record Minimum: 8 Days
DNS Record lifespan increments by: 4 Days for DHCP clients (because the client may choose to refresh it as soon as it can, re-setting the timestamp in line with the newly renewed lease)

Assuming you have a client appear on your network, then drop off, never to appear again. The client will get a DHCP lease that lasts 8 days, and a DNS record that lasts for a minimum of 8 days and a maximum of 9 days. That is, No-Refresh + Refresh + Automatic-Scavenging, because it may just miss a scavenging cycle and have to wait until the one running the next day to clear out.

Things that don't update via DHCP, such as systems with static IP addresses will refresh their registration with DNS once every 24 hours (by default). Because of that, the minimum you should ever consider for the Refresh Interval is 24 hours. I've seen a lot of scenarios where it's been set lower, prompting the question "where did my records go".

Chris
Avatar of YMartin

ASKER

A cacophony of disagreement! Just like when I was searching the internet on the subject.
I'll confess to an ulterior motive. I’m testing this on our DNS server because we have a new customer that is a mess. I straightened out their DHCP nightmare but their DNS server is full of old and duplicate records. I’m looking for a solution for the customer and don’t want to wait 2 months to test this on our server before knowing if I have a possible solution for the customer (which will then take another 2 months to straighten everything out).

When searching the web about Scavenging, I saw a reference that stated that records that were created before Scavenging was enabled will never be deleted by Scavenging unless AgeAllRecords is executed. Because executing AgeAllRecords could have unintended results, I leery of running it. I enabled Scavenging yesterday and it will run on 9/28. Can someone provide a clear, concise, emphatic answer to these 2 questions:
If I don’t run AgeAllRecords, will the invalid records created between 2007 and 9/20/2011 be deleted on 9/28?
What are any risks associated with manually deleting the records?

In order to get this straightened out for the customer, I’m leaning towards manually deleting old and duplicate records and then having everyone run -
ipconfig /flushdns
ipconfig /release
ipconfig /renew
ipconfig /registerdns
> A cacophony of disagreement! Just like when I was searching the internet on the subject.

There is none that I can see, we were simply discussing some of the deeper aspects of this particular process.

Anyway, you don't have to wait 2 months.

When you first set up Scavenging it locks the zone for the value of the Refresh Interval. That's done to give it time to fully replicate timestamps between all DCs, and to make sure all clients have sufficient time to update a timestamp if they want to.

Once you hit that date, the zone can be scavenged (and a summary posted to the event log when it does). If you also set up automatic scavenging the zone will then re-lock for the value you set for the automatic scavenging interval.

> I saw a reference that stated that

It was wrong, and I state that with absolute confidence having spent a very, very long time studying this topic :)

> If I don’t run AgeAllRecords, will the invalid records created between 2007 and 9/20/2011 be deleted on 9/28?

Yes. Only static records, those without a timestamp, will be preserved.

> What are any risks associated with manually deleting the records?

None unless you need the records :) But if you're doing it manually you can be quite careful about that.

You only need "ipconfig /registerdns". The first clears the client cache, no impact on anything outside of the client. And the second two do stuff with the DHCP lease which feels a bit unnecessary. The only time you might run more is when you poke the Domain Controllers, then you might also restart the netlogon service to force re-registration of the service records.

Chris
So in a mixed environment with some DNS records created by the DHCP server, and others by clients, will this solution keep the DNS server clear of extra records (especially PTR records)?

So within a No-Refresh + Refresh + Automatic-Scavenging period, the DNS database should be purged of all extra records except those created within the last Automatic-Scavenging period, and these will be cleared within that period. if scavenging is done daily, only records created within Automatic-Scavenging period will ever exist within the DNS server. Correct?
YMartin,

do remember this is your question so if anything is not clear prod me and I will do my best to clarify. Your question is a common one, and your frustrations with scavenging are too. I do know what you mean about the arguments, the process is fluffy and at least in my experience on this site and throughout my career, not particularly well understood.

You can't avoid the patience bit if you're to wait out scavenging, but you really should not be afraid to hack away at your zone. Naturally you should be a little careful, but you would not be able to do any lasting damage (well, to the domain at least) were you to delete the zone entirely. Obviously you shouldn't do anything to put your position within your organisation at risk, I only wish to emphasise that DNS, while critical to normal operation, is self-healing to an extent (as long as the zone exists and dynamic updates is enabled things will re-register over a short period of time).

hfraser,

Feel free to drop me an email (see my profile for the address), I don't want to derail this question entirely, it's not fair to YMartin, but these are my answers to your questions above.

> So in a mixed environment with some DNS records created by the DHCP server, and others by clients, will this solution keep the DNS server clear of extra records (especially PTR records)?

No, client still can't overwrite records created by DHCP (and vice versa) so there's still a chance of duplication.

> if scavenging is done daily, only records created within Automatic-Scavenging period will ever exist within the DNS server. Correct?

Hmm depends, I may not be parsing this correctly. But records will exist at least for No-Refresh + Refresh, and at most No-Refresh + Refresh + Automatic Scavenging Interval.

Imagine Scavenging ran at 3pm, if I brought my laptop onto your network at 4pm tomorrow (we'll call that 23rd, even if time zones make it not), I'd get a lease from your DHCP server which would last until 4pm on . My lease would expire at 4pm on the 1st, and that's where No-Refresh + Refresh would end. Automatic scavenging wouldn't pick that up until the day after.

So you could say that you will, at most, have stale records for up to a day never more.

Chris
Avatar of YMartin

ASKER

Chris,
Thank you for the clear, concise, emphatic answers. I was hoping to use this to have our customer straightened out by the weekend, but that doesn’t seem possible.

One more point to clarify. In the equation you present “No-Refresh + Refresh + Automatic-Scavenging”. Does “Automatic-Scavenging” refer to the date Scavenging was enabled or the “Zone can be scavenged after” date/time?  That is to say, I enabled scavenging on the 20th and (I hope) it will run on the “after” date, the 28th. On the 28th will records created before the 20th be deleted (4+4+9/20/11) or do I have to wait until 10/6/11 (4+4+9/28/11) to actually see records go by-by?

By the way - I’m as leery of manually deleting records as I was of running AgeAllRecords, but I also don’t want to leave the customer hang for 2 or more weeks. The logic behind the 4 ipconfig commands is that the customer was running 2 DHCP servers and didn’t have the Scope of 1 excluded on the other. Some of the problems in DNS were caused by DHCP. I turned off one DHCP server. Getting the workstations to /release and /renew would ensure that everyone is getting their lease from the correct DHCP server and eliminate dups. That should also re-register them with DNS but why not be sure and run /registerdns. Finally, it doesn’t mean jack to a user if the DNS database is cleaned up if the workstation has bad data in its DNS cache – so /flushdns. But that is beside the point.
> Does “Automatic-Scavenging”

Neither, you'll find that setting if you select your DNS server, open Properties, and select Advanced. For small domains (up to 5000 or so in my eyes) I always set it to 1 day.

If you enabled Scavenging on the 20th, the zone would be available for Scavenging for the first time on the 24th (20th plus your Refresh interval), then stale records would be removed every time automatic scavenging ran.

A record is considered to be stale if the record time stamp plus No-Refresh and Refresh is older than today. So, with the settings above, a record created on 20th would be stale on the 28th if nothing refreshed it. Your very old stuff will be immediately stale, and therefore should be removed the very first time scavenging runs on the zone. Newer stuff will age more gracefully and be cleaned out as and when it is considered to be stale.

> is that the customer was running 2 DHCP servers

Do have a look and see if credentials have been configured to perform updates. If not, you may find that duplicates can occur simply because one DNS server won't be able to update a record created by the other. There are ways around that, such as the DnsProxyUpdate group, but it's insecure and should be avoided if possible.

Anyway, your measures are well reasoned, I can't argue with those :)

Chris
Avatar of YMartin

ASKER

Okay the Great Day has arrived. The can be scavenged after” date/time was Sept 28 at 11:00. I logged on at 12:00 and nothing had happened. I ran Scavenge Stale Resource Records and it did blow away all of the old, invalid records. The new can be scavenged after” date/time is Oct 1/ 11:00 AM. For the Server, On the Properties, Advance tab - "Enable automatic scavenging of stale records"  is checked; Scavenging period is set to 3 days.
Any idea of what did I do wrong for automatic scavenging to not have occurred this morning? Otherwise, it worked like a charm.
ASKER CERTIFIED SOLUTION
Avatar of Chris Dent
Chris Dent
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of YMartin

ASKER

Chris,
I decided to enable scavenging on the customer's DNS. They are running Windows sercver 2003, DNS is Version: 5.2.3790.3959. On the server I went to properties=>advanced; I checked enabled and change the period to 1 day; clicked Apply and OK. Again on the server I right clicked =>Set aging/scavenging for all zones; changed to 4 days for each; okay; got another box, checked "apply these setting to all active directory zones" and Okay.
On the zone to be scavenged; right click =>properties=>advance tab and click the aging button, I change to 4 and 4 again, On that box, I expected to see the section for the “Zone can be scavenged after” date/time but there is nothing there.
Did I do something wrong, miss a parm  or is this another period that I have to wait for something to happen? DNS is also running on their old server which has Windows Server 2000 and can't tell the version of DNS.
You need to select View / Advanced to see the extra box.

Although I'm afraid I can't tell you if that appears under 2000 or not :-\

Chris
Avatar of YMartin

ASKER

Thanks again for the help.