Why DNS scavenging doesn't work?

This is using MS Windows 2003 AD domain. There are 2 DCs, and 2 DHCP servers. I want to do the dns object ageing and scavenging so as old objects must be automatically purged. I read some articles in which they suggest that all 3 levels - server, zone and the A/PTR object have to be enabled for scavenging. The scavenging settings that I set were, in zone - both forward and reverse zones of the ad domain, set with 2-day and 1-day, for no-refresh and refresh, respectively. In server, I enabled the scavenging and set 1-day;

As for the 2 DHCP servers, I also ticked settings in the DNS tab; Besides this, I also run "netsh dhcp set server dnscredentials" with correct user name and password. This DHCP servers also joined as members of UpdateDNSProxy group. However, I check that the 2502 events are reported meaning none of the stale object is scavenged.

Any settings I miss out? How to troubleshoot and get the scavenging work?

Thanks,
LVL 1
MichaelBalackAsked:
Who is Participating?
 
footechCommented:
Have you run the command
dnscmd . /ZoneResetScavengeServers yourzone.com <xx.xx.xx.xx>
where <xx.xx.xx.xx> is the IP of the server you want to scavenge the zone?

And again, are the timestamps for other records in the zone being updated properly?
0
 
footechCommented:
Here's a link to the "go-to" guide for scavenging.
http://blogs.technet.com/b/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be-patient.aspx

To limit some of your troubleshooting, do you have a record with a timestamp that is older than 4 days, that is in a zone that has scavenging enabled?
0
 
MichaelBalackAuthor Commented:
Hi Footech,

Got a lot of records for past few years.
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
MichaelBalackAuthor Commented:
Hi Footech,

As for the dnscmd command, i was typed "dnscmd /zone scavengeservers abc.local 192.168.1.8". Does this command same as the command - dnscmd . (with "dot") as shown in the article?
0
 
footechCommented:
Yes, the dot means the local machine.  You could also substitute the name of another DNS server.

Could you provide a screenshots of the following?
- record that should be scavenged showing the timestamp
- scavenging settings for the zone containing that record
- Advanced tab of the server properties where you want scavenging to occur
0
 
MichaelBalackAuthor Commented:
Hi Footech,

Please see attached.
EE-DNS3.bmp
EE-DNS1.bmp
EE-DNS2.bmp
0
 
footechCommented:
Are the timestamps for other records in the zone being updated properly?

I wouldn't set the no-refresh and refresh intervals so low, or you could end up with clients that are statically configured (but still perform dynamic updates of their DNS records) having their DNS record deleted.

On my servers even when no records are scavenged I get a 2501 event, never a 2502.  Looking up some info for that event shows possible causes of:
-no zones configured for scavenging
-manually running scavenging immediately after enabling it for a zone
I would just wait until the next scavenge cycle is scheduled and then check the event afterwards to see what is reported.
0
 
MichaelBalackAuthor Commented:
Hi Footech,

The scavenge cycle is reach and what I saw is still 2502 event.

Manually run it also get the same event - 2502.
0
 
MichaelBalackAuthor Commented:
Hi Footech,

Yes i did for dnscmd. The timestamp for others are updated.
0
 
footechCommented:
At this point I would just set both of the intervals to 4 days (a good rule is to set the intervals to half the amount of your DHCP lease period), and the scavenge cycle to something like 2 days.  Then look at it again after 11 days.  Make sure the zones aren't reloaded in that period (i.e. the DNS service or the machine isn't restarted).

The event is saying that no zones are eligible.  So all I can suggest after the above is to take a detailed look at the output of runing dnscmd (probably with the /info or /zoneinfo switches) and looking at the scavenge info.  If all is as expected I've got nothing else to suggest.
0
 
MichaelBalackAuthor Commented:
Hi Footech,

Please see the result of dnscmd /zoneinfo xxx.com
dnscmd-2.bmp
0
 
MichaelBalackAuthor Commented:
Hi Footech,

The scavenging is finally works. I saw the event - 2501
0
 
MichaelBalackAuthor Commented:
Finally, it works
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.