How to clean Windows Server 2003 DNS

The best way to do this is to set up aging and scavenging so that the old records will be removed automatically.  Here's an article on how to do this for Windows 2003, and when you set up your Windows 2008 server, you want to do this also to keep your DNS zone clean:

https://technet.microsoft.com/en-us/library/cc755716(v=WS.10).aspx

I have read about Aging and Scavenging and went to my DNS server (Administrative Tools / DNS). I right-clicked on it and selected the option "Set Aging/Scavenging for All Zones". Here I see a window to configure this feature with only 2 parameters:  "No-refresh interval" and "Refresh interval", both set to 7 days. I do not clearly understand the meaning of these parameters. Is it possible for you to explain them to me in a different way? However, I suppose this settings are safe because they are Microsoft´s default.

About your following comment:

"When you set up scavenging, the default scavenging period is 1 day.  So any records that become stale each day would be scavenged within 24 hours."

I think that 24 hours is a very short period of time. It seems to me that, during a weekend (Sat and Sun for example) when nobody uses their computers, the wrong DNS records would be deleted. Is this correct?

No, the records won't become stale that quickly.  By default, a DHCP client renews its lease every 24 hours, and the DHCP record itself, remember, has an expiration period of 8 days. The workstation wouldn't lose its lease for that specific IP address unless it was shut down for over 8 days. So, the DHCP server (which is not shut down over the weekend) would be able to renew a DNS lease automatically if the renewal interval was reached over the weekend.

Now, if there was no DHCP server and all your workstations had static IP addresses and were registering themselves directly with your DNS server, the no refresh and refresh intervals would take effect.  So, the initial refresh interval would keep the record fresh for 7 days, and then if the workstation was turned on at any time during the next 7 days the DNS record would be refreshed at that time.

In our case, we do not use DHCP, every workstation has a static IP, our network is not a big one and we want to have strict control on this issue. Regarding your comment below:

"So, the initial refresh interval would keep the record fresh for 7 days, and then if the workstation was turned on at any time during the next 7 days the DNS record would be refreshed at that time."

If a workstation remains turned off for more that 7 days, then its IP is considered a stale resource record and it will be removed from the DNS records. Is this correct?

My question considers the case when an employee goes on vacation for 10 days for example. In such a case, the DNS record will be deleted. What happens when he/she comes back to work? Will this IP address be added to the DNS records as part of the dynamic updates?

Understood. I appreciate your help. I will try this DNS feature and monitor its behavior.

Thank you very much.

I just enabled Aging/Scavenging and, after I clicked OK, I got another window with the following check box which is unchecked by default.

"Apply these settings to the existing Active Directory-integrated zones."

I suppose I should check it. Am I correct?

Yes.

I have enabled Aging/Scavenging already.
After going over our DNS server, I see that there is a record as follows:

(same as parent)     Name Server(NS)      dc-nld.domain.local

But "dc-nld.domain.local" does not exist anymore.
This reference even exists in other folders like "_msdcs.domain.local/dc/sites/first-site/_tcp" and "_msdcs.domain.local/dc/_tcp".

Will this type of RR will also be included in the Aging/Scavenging process? I mean, Aging/Scavenging processes every type of record everywhere?

If I go to "Sites and Servers" (in Win2003 it says Sites and Services) I see 2 machines that no longer exist. The first KB article you suggest says that I only have to remove them.

The second KB article tells me to go to "Active Directory Domains and Trusts" but I see nothing here but only the domain name in the left panel. The right panel is blank. Is this OK? Also, I can guess that this KB is for domain controllers not demoted correctly.

I did all of this in the FSMO´s machine.

I am sorry if I am asking too many questions but, because I am not a Windows Server expert, I just do not want to make any mistake and get the whole network unusable. DC´s and AD are complex issues for me.

In the Sites and Services/Servers node, look carefully at the 2 machines that are listed there but no longer exist.  Click on each of them and make sure that you DON'T see anything (i.e., an NTDS Settings object) below them in the tree.  This is just to make sure that they've been correctly and fully demoted.

In the Domains and Trusts node, you want to right-click on the top level ("Active Directory Domains and Trusts"), and select "Operations Master."  This tells you which of your current domain controllers is the domain naming operations master for your domain.  This is the server that you need to connect to when you run the ntdsutil program, as explained in the remainder of that article. You need to run ntdsutil from one of your DCs anyway.

In the Sites and Services/Servers node, one machine has and "NTDS Settings" entry below it, the other one has nothing. I suppose that I can remove the one with "nothing" below. Am I correct?

For the other one with "something" below, I should follow the steps in the second KB article. Is this fine?

Sorry, I see that you said that I need to run ntdsutil anyway. So, I do not remove anything in Sites and Services/Servers, correct?

You can remove the one with nothing below it. Make sure that the one with NTDS settings is DEFINITELY not a DC on your current domain before proceeding with the second article. That one should then go away after running the steps in the second KB article, but if it is still there after that, it will not have the NTDS Settings object and you can just delete it as well. Obviously, you need to make sure that you don't touch any server that is active on your current domain.

I am still reviewing the domain settings and this is what I discover.
In "Active Directory Sites and Services" there are 4 entries, 2 of them have "something" below them and 2 have nothing as follows:

* DC-NLD (This one has something below but it does not exist anymore. It was a Windows Server 2008)
* SRV-LDOTEX (This one has something below and it has the FSMO´s. This is a Windows Server 2003)
* SRV-NLD (Nothing below and it is a DC actually working. This is a Windows Server 2008)
* SRV-NVOLDO (Nothing below and it does not exist anymore. This was a Windows Server 2008)

Does your suggested procedure still apply? (I talk about the 2 KB articles).

I am taking my time to solve this issue because our Network Admin left the company a few days ago and I need to have an idea of the actual situation.

This looks a bit suspect.  Some questions/comments:

First, check all of your FMSO roles to make sure that they're held by currently active and working DCs on your domain:

http://support.microsoft.com/kb/324801

DC-NLD -  If it has a NTDS Settings object, does it show any connections to other DCs?
SRV-LDOTEX - Is this an active DC on your current domain? Does it hold all of the FSMO roles?
SRV-NLD - If there's nothing below it, but it's a working DC, then you have an issue with this, as it's not connected correctly to your domain and not replicating from the other DCs. You may need to demote it and then re-promote it to fix it.
SRV-NVOLDO - this one can be removed.

Here is what I found:

* DC-NLD - It is a server machine that does not physically exist anymore. Looking at the NDTS settings I see that It is supposed to replicate from SRV-LDOTEX which is the only valid DC.

* SRV-LDOTEX (Windows Server 2003) - This is actually the only valid DC which has the 5 FSMOs (RID, PDC, Infrastructure, Domain Name and Schema). I made sure about this checking in AD Users and Computers, AD Domains and Trusts and AD Schema. Looking at the NTDS setting I see that it is supposed to replicate from DC-NLD which does not physically exist anymore. Should I delete the entry in the NTDS settings in order to get rid of the replication information?

* SRV-NLD (Windows Server 2008) - This is a server that is supposed to work as a DC but there are some issues with it meaning that Windows Server 2008 will be completely installed again. As you say, it can be demoted. This has no NDTS setting. If I demote this server I suppose I do not need to promote it back but only to proceed to Windows Server 2008 installation.

* SRV-NVOLDO - It is a server machine that does not physically exist anymore which, as you say, can be safely removed.

I did all of the recommended steps except demoting SRV-NLD. I ran "dcpromo" in this machine but I do not see any option to remove it from the domain. First thing I see after issuing the "dcpromo" command  is the "Welcome to AD Domain Services and Installation Wizard" with an "Use advanced mode installation" checkbox unchecked. I click the next button and I get a windows with a message regarding security settings in Windows Server 2008. I click next again and I am shown another window with the following options:

"Choose a deployment configuration"
* Existing forest (here there are 2 options: Add a domain controller to an existing domain and Create a new domain in an existing forest).
* Create a new domain in a new forest.

Here I click the cancel button because I do not see anything about demoting the DC.
I cannot run Server Manager in this machine because I get an error message: "MMC has detected an error in a snap-in and will unload it", after clicking OK the Server Manager left-panel shows nothing.

Is there another way to demote this DC?

Remember that SRV-NLD shows nothing below in AD Sites and Services.

It seems that this server was at least partially demoted already.  Are there any existing SRV or NS records in DNS for SRV-NLD? Please search all of the DNS subfolders thoroughly for any pertinent records.  Remove any SRV or NS records you see in DNS for this server.

I might be inclined to say at this point, since you're going to rebuild this server completely anyway, that you should unjoin the domain completely, wipe the machine and then start from scratch.  Once you unjoin the domain, if there's still a remnant of it in Sites and Services, you can try to remove it manually.

I am still reviewing DNS entries and I see the following record in our "domain/_msdcs" folder:

gc        Host (A)      aaa.bbb.ccc.ddd

Where aaa.bbb.ccc.ddd is a private IP address.
Does "gc" mean it is a Global Catalog?
This is the only entry with that IP address in the DNS records. I have checked every single detail in each one of the DNS entries.

I have asked some persons here in the IT department and they say the IP address belonged to a machine that no longer exists and now such an IP is assigned to a router.

Is it safe if I remove it?

I did what you told me and I see the following:

* In "Forward Lookup Zones / _msdcs.domain / gc" there is an entry with the IP address of the working DC.

* In "Forward Lookup Zones / domain / _msdcs" there is an entry as I said before:
    gc        Host (A)      aaa.bbb.ccc.ddd where "aaa.bbb.ccc.ddd" is the IP of a machine that does not exist anymore and is actually assigned to a router.

I have not restarted the server yet but I will. Is there an additional place where I should look in DNS to make sure the Global Catalog has been added? By the way, the working DC was not a Global Catalog and I followed your instructions to make it a GC.

You are right, the entries are duplicated under our "domain name/subfolders" in DNS. I have already deleted the entry which points to the router. It seems everything is under control now so I will come back once I finish setting up the new Windows Server 2008.

I have finished installing Windows Server 2008 R2 and it is now a domain controller, a DNS and a Global Catalog. I see that DNS records have been replicated from our Windows Server 2003 and now there are 2 domains: "_msdcs.ourdomain.xxx" and "ourdomain.xxx".

However, the Windows Server 2003 from which replication took place, has an additional zone for our public domain "ourdomain.com". Why didn´t it replicated? Can I add this zone manually?

That zone was most likely created manually to manage what is called "split brain DNS." A manually created zone won't replicate because it's not AD-integrated.

If your internal and external domain names are the same ("split brain DNS"), internal clients can't reach your public website unless you add a DNS record for your website. This is because AD-integrated DNS will assume that "ourdomain.com" or "www.ourdomain.com" is an internal URL, not an external one. If that's the case, however, you don't really need a separate zone.  The easiest way to handle it is just to add a "www" record to your internal domain and use the public IP address. Your users then just need to use "www.ourdomain.com" to get to your external website. Is that your situation?

The reason there is such a zone is because we host a web server and a mail server, for example, mail.ourdomain.com. This zone has entries like:

mail        Host (A)     192.168.x.y
www      Host (A)      192.168.x.z

Internal and external domain names are different.

Are these IP addresses within your internal network or in a DMZ?

They are in our internal network.

Then my original comment applies. If they're on your internal network, and using the same active directory domain name (i.e., ourdomain.com), then there's no need for a separate zone.  You can add those host names, i.e., "mail" and "www," directly to your AD DNS zone.  They would be static records, and assuming that those hosts are already part of AD with other host names, you could simply make them aliases.  So, in your main DNS zone, you would have:

"A" record name: HostA   192.168.x.y (mail server)
"A" record name: HostB   192.168.x.z (web server)
Alias record name: mail (alias to HostA)
Alias record name: www (alias to HostB)

This would allow your internal clients to connect to your email server using mail.ourdomain.com instead of HostA.ourdomain.com, and to the web server using www.ourdomain.com instead of HostB.domain.com.  Is that what you're trying to accomplish?

I do not get the idea. The "internal AD domain" is different from the "external domain". Let´s say that the internal AD domain is "domain.net" and the external is "domain.com". Does your approach work in this case?

For some reason there was a communication error when talking about "internal domain" and "external domain", but now everything is clear. Yes, they are 2 different domains so 2 zones are needed and, in this case, I have to create the ".com zone" manually in our new domain controller DNS. Such a zone was also manually created in the first DC DNS so it will not automatically replicate. Is this correct?

Yes, if it's not integrated into your active directly, then it will not be replicated automatically.  It's just a couple of records, so it's not hard to replicate manually, although you could set it up to do a zone transfer if it were larger.  Presumably, you're going to be doing away with the older DNS server, so I would just create it manually.

It seems everything is working just fine, I only noticed the following behavior.
There is a Windows Server 2003 DC which is also a DNS. The Windows Server 2008 DC I just installed replicated from it. So, now we have 2 DNS servers. I tried to configure the network card parameters in Windows Server 2008 with 2 DNS entries being itself the preferred DNS address, and the Windows Server 2003 DC as the alternate. This settings led to not being able to navigate the Internet but it works if I remove the alternate one. Is there anything wrong with what I am trying to do?

Our Windows Server 2008 has been running correctly for several days so I guess things are fine already. Thanks for your help. If I need more help, should I open a new question or come back to this one?