Solved

dns scavenging

Posted on 2015-02-16
66
116 Views
Last Modified: 2015-03-25
Hi,
I have to work on performing cleanup and removal of stale resource records, which can accumulate in zone data over time....so i need assistance from someone who have worked on it.....how they concluded the information they are taking out is right? means what was the test procedure....and how they cleaned it...
we have a mixture of 2003 and 2008 domain controllers....we want to decommission 2003 servers.
so what will be testing procedure and later on deploying procedure?
thanks
0
Comment
Question by:Leo
  • 33
  • 24
  • 8
66 Comments
 
LVL 35

Expert Comment

by:Mahesh
ID: 40613738
It doesn't matter if you have mix of 2003 and 2008, its not related to scavenging, you can set it up right away
There is no test procedure, setup scavenging and get final results directly
Set DNS scavenging on any one DC in domain (PDC probably)

Scavenging should be enabled on domain.com main dns zone and server level (server properties) also, otherwise it will not work
Also DNS zone must be set for dynamic update, otherwise scavenging will not work
Scavenging will not work for static DNS records, it only works for dynamic records (records having time stamp generated

Default scavenging duration is 7 days, however you should keep it half of DHCP scope duration.
If your DHCP scope duration is 1 day, do not set it 1 day (you should minimum set it to TWO Days, otherwise it might delete domain controller SRV records as they also are dynamic records, this will not happen normally because scavenging only scavenge records older than sum of refresh interval + no refresh interval
U will find DNS event 2501 which tells you about scavenging on server
I have assumed that you have DHCP server for leasing out client addresses
Also DHCP server also needs to be set accordingly
http://blogs.technet.com/b/askpfe/archive/2011/06/03/how-dns-scavenging-and-the-dhcp-lease-duration-relate.aspx
http://blogs.msmvps.com/acefekay/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group/

There are lots of Scavenging articles available on internet and on EE as well
http://blogs.technet.com/b/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be-patient.aspx
http://think-like-a-computer.com/2012/04/27/dns-scavenging/
U will find lots of QA on EE itself.
0
 
LVL 8

Author Comment

by:Leo
ID: 40620328
Hi, thanks for the info, i will list out few settings which can direct to finding more information on it.....
For our DNS its set to Dynamic Update-->Secure Only.
Under DHCP, domain properties-->DNS Tab-->Enable DNS Dynamic updates according to the settings below-->Dynamically update DNS A and PTR records is checked.
Discard A and PTR records when lease is deleted is checked.
Scope options for DHCP is set to 8 days.

How can i create a test procedure for it? means what are the implication of turning that on, and where it can affect? and if something does get affected, how can i revert it back?
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 40620614
Like I said earlier there is no test procedure

For 8 days of DHCP scope duration, you could set scavenging for 4 days
There is nothing any harm in that

Also you can force manual scavenging by running below command:
dnscmd <servername> /StartScavenging

Note that this will also delete only those records which are eligible for scavenging

You can turn off scavenging any time by deselecting the scavenging check box
0
 
LVL 8

Author Comment

by:Leo
ID: 40620984
is there a way, a script can be setup which can run this command "dnscmd <servername> /StartScavenging" in combination with some other script which can report which DNS records have been cleared....
in that way its monitored and can be documented....
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 40621623
When scavenging command runs periodically \ manually, dns event 2501 is logged which shows what items got deleted
https://technet.microsoft.com/en-us/library/ee783621(v=ws.10).aspx

You can collect all 2501 DNS events to get list of records deleted
0
 
LVL 8

Author Comment

by:Leo
ID: 40622604
That Event log i.e. 2501...it doesnt log the DNS records which get deleted....
it just creates an alert that it has deleted a record....but there is no record of it....
i need to do it in controlled environment.,,i need to know which records get deleted....and it should get reported.....
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 40622852
You can track dns record deletion
U need to enable auditing in default domain controller policy for directory services and then enable auditing on actual zone
http://blogs.technet.com/b/networking/archive/2011/08/17/tracking-dns-record-deletion.aspx

However still you will not get exactly what you want
0
 
LVL 8

Author Comment

by:Leo
ID: 40623009
"Object Name" event information wont tell which DNS record has been deleted?
those event IDs can be configured to be sent on an email address...right?
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 40623237
Yes, you can
0
 
LVL 8

Author Comment

by:Leo
ID: 40624104
"Object Name" event information wont tell which DNS record has been deleted?
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 40624107
yes, I think  you will not get what you are looking for
0
 
LVL 8

Author Comment

by:Leo
ID: 40624108
:-( then how can i get that information? there should be a way....
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 40624110
Right now I am not in position to test this in quick way
 Some else expert might help you
0
 
LVL 8

Author Comment

by:Leo
ID: 40624178
I am not sure who to contact to have a look at this question....can you please suggest or ask other experts to view this question.
thanks.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 40624439
You can click at "Request Attention" at the end of your question and you can ask moderator for more help so that he will forward this question to more experts

I still believe that you will not achieve this out of the box and some kind of customization would be required
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 40627742
The problem you'll have is that nothing is actually deleted during the scavenging process (in AD terms). Instead each removed record is tombstoned (dnsTombstoned is set to TRUE) and the dnsRecord attribute is modified to reflect a null entry.

The AD object for DNS records is complex at best, dnsRecord can be multi-valued (for example, if you have more than one A record for a name), so the net result of scavenging may only be removal of one entry from dnsRecord. Or it may remove the AD object entirely. It depends, it's not reliable, you should not rely on it for auditing.

So where does this leave you?

You could have full auditing turned on and watch for changes to dnsTombstoned in AD. This would get you a change log for a particular AD object (which will show you resource name even if it doesn't show the resource detail). That is, if you had "SomeEntry IN A 1.2.3.4" you would see SomeEntry was deleted, but not the original record data.

Similarly you could watch for changes to the dnsRecord attribute, but the dnsRecord attribute takes some decoding (I've done it, http://www.indented.co.uk/2009/06/18/mapping-the-dnsrecord-attribute/).

Finally, you might consider simply running a regular export of the DNS zone (dnscmd / WMI / anything goes) and running comparisons on that.

Chris
0
 
LVL 8

Author Comment

by:Leo
ID: 40627897
Thanks for your post....
Can you please brief me out how can i turn on full Auditing and get alerted whenever there is a change in DNS?
and when you said "That is, if you had "SomeEntry IN A 1.2.3.4" you would see SomeEntry was deleted, but not the original record data." so it wont specify which exact entry was deleted? is there a way of knowing it?

Also the link you posted above....in that there is a power-shell script, can you please brief out what does it accomplish? and whether any modifications are required in that....i had a look at it, it doesn't seem to look like it needs any alterations....

http://theessentialexchange.com/blogs/michael/archive/2009/12/22/getting-the-contents-of-an-active-directory-integrated-dns-zone-version-2.aspx
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 40627938
The auditing you can do is limited to Active Directory auditing by setting an appropriate SACL (Audit access control list) on the DNS zones in Active Directory. By extension, this kind of auditing can only apply to AD Integrated Zones.

At that point the normal AD object change audit controls come into play, you'll get event log messages as described here:

https://technet.microsoft.com/en-us/library/cc731607%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

This is limited because the AD audit engine won't decode the values in dnsRecord for you (which is where the record type and record data are held). Therefore you simply cannot track changes to the content of individual records using this method (only that the node / record name was changed in some way).

In short it does half the job of change auditing and isn't really suitable for the DNS system which uses AD as a data store / replication method only.

> so it wont specify which exact entry was deleted? is there a way of knowing it?

I know of no other built-in mechanism to accurately track changes to MS DNS unfortunately. It's certainly not exposed in the GUI / registry / dnscmd.

Michael's script is good for dnsRecord, we were both working on the decode at the same time and he was kind enough to credit me for my work although the URL for my site in the first paragraph is out of date :)

I have my own version of Michael's script includes full decoding of dnsProperty in addition to everything in dnsRecord. CmdLets for this are present in both versions of my DNS module:

DnsShell: http://dnsshell.codeplex.com/
Indented.Dns: http://www.indented.co.uk/indented-dns/

Both contain the code required to read DNS records from Active Directory. The latter has a better resolver (Get-Dns), slightly improved AD support (Get-ADDns*) and is "just" PowerShell, but is missing the DNS management part (Get-DnsRecord, Set-DnsRecord, etc). Time is a bit of a challenge at the moment unfortunately.

Chris
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 40627955
Sorry, a couple more notes.

The things you'd need to be mindful of in Michael's script (or any script) is where DNS data is actually stored. There are a minimum of three different locations in AD:

All Domain Controllers in the Domain: CN=MicrosoftDNS,CN=System,DC=domain,DC=example
All DNS Servers in the Domain: DC=DomainDnsZones,DC=domain,DC=example
All DNS Servers in the Forest: DC=ForestDnsZones,DC=domain,DC=example

In the last the domain component will always be the forest root domain.

Michael's script assumes you're using the first of those, All Domain Controllers in the Domain. In this case you can see DNS records if you hit View / Advanced in AD Users and Computers then expand the System folder.

This is the relevant section of code:
	$root = [ADSI]"LDAP://RootDSE"
	$defaultNC = $root.defaultNamingContext

	$dn = "LDAP://"
	if ($dc) { $dn += $dc + "/" }
	$dn += "DC=" + $zone + ",CN=MicrosoftDNS,CN=System," + $defaultNC

Open in new window

In my module Get-ADDnsPartition attempts to help you find all these different places and can be piped straight into Get-ADDnsZone and then into Get-ADDnsRecord. Let me know if you wish to try that out and I'll provide more detailed instruction should you need it.

Chris
0
 
LVL 8

Author Comment

by:Leo
ID: 40628140
Thanks for your reply.
Regarding The auditing and setting up SACL (Audit access control list) on the DNS zones in Active Directory. This will require extension of AD? so would it be worthwhile in doing that?
Also i wish to try out your module, kindly guide me through which of your modules will be useful in my case, and how to use them.
thanks.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 40628573
No extension, just standard object auditing controls, all built in.

If you're using the newer modules you'll need this one:

http://www.indented.co.uk/indented-common/

Then this one:

http://www.indented.co.uk/indented-dns/

Once you've downloaded them (manual download instructions are on each page) you would run:

Import-Module Indented.Dns

Then we can head right in and try this:
Get-ADDnsZone yourdomain.com

Open in new window

If you get your forward lookup zone back in the list above we can immediately move onto this:
Get-ADDnsZone yourdomain.com | Get-ADDnsRecord

Open in new window

If you see lots of DNS records in response the output from that can be sent to a CSV file like this:
Get-ADDnsZone yourdomain.com | Get-ADDnsRecord | Export-Csv DnsRecords.csv -NoTypeInformation

Open in new window

If it doesn't work you can try this which goes looking for your DNS zone:
Get-ADDnsPartition | Get-ADDnsZone yourdomain.com | Get-ADDnsRecord

Open in new window

Finally, if that works Export-Csv can be used to drop that out to a text file.

Chris
0
 
LVL 8

Author Comment

by:Leo
ID: 40629863
Hi,
I tried this "Get-ADDnsZone yourdomain.com | Get-ADDnsRecord | Export-Csv DnsRecords.csv -NoTypeInformation"
It gave some errors ....

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Export-Csv], ParameterBindingV
   alidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,M
   icrosoft.PowerShell.Commands.ExportCsvCommand

Export-Csv : Cannot bind argument to parameter 'InputObject' because it is
null.
At line:1 char:49
+ Get-ADDnsZone domain.com | Get-ADDnsRecord | Export-Csv
C:\Test\DnsRecords.cs ...
+

but it did generated the CSV file with 2145 records.....So i believe it generated all the records? i run the second script as well, it had the same number of records with same error.

Now in the CSV file, Can you please brief me more on whats the difference between IP address and Record Data?
Also in DNSTombstone, if some records are marked as False, what does it mean?
and what does UpdateAtSerial and Record Data length represents?

Thanks.
0
 
LVL 8

Author Comment

by:Leo
ID: 40629878
and for some of the computers the TimeStamp field is blank.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 40630123
In reverse order:

If the TimeStamp field is blank the record is static (has been manually added to the DNS console) and will never be scavenged.

RecordData is included to allow a consistent output format when different record types are being handled. For the A and AAAA records there is no difference between RecordData and IPAddress, they're nice simple record types.

DNSTombStoned effectively has 3 values:

TRUE - Record removed, waiting for the tombstone period to lapse before deletion.
FALSE - At some point was deleted, but the action was reversed (let's say something deleted or de-registered the name, then something else came along and registered it).
Empty - dNSTombstone has never been set.

> It gave some errors ....

A bug I'll have to fix by the sounds of it. You should be able to correlate the record count with the graphical user interface (DNS management / your zone / Export List, if that gives you the same number of records we can ignore the error for now.

If not I'll have to attempt to reproduce the error and fix the code. Apologies for the significant inconvenience.

Chris
0
 
LVL 8

Author Comment

by:Leo
ID: 40630320
Thanks, what will be best way to export DNS records to a CSV file?
and there are some servers which are have static IP but in the exported CSV file they have a timestamp?

and would you recommend the DHCP option in the first part of this website that it can be applied?

http://blogs.msmvps.com/acefekay/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group/
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 40630360
The CmdLets above and Export-Csv provided the error message is something we can ignore until I have time to fix it.

Static IP doesn't equate to a static DNS entry. That is, servers with static IP addresses will dynamically register a DNS record and attempt to refresh that every 24 hours (by default). As such the record will have a timestamp and may be scavenged if it becomes inactive.

DHCP updates is one of those things that doesn't have much of a definite answer, only a bunch of guidance.

Do you use MS DHCP for all dynamic address allocation?

If, for instance, you had a VPN client which handed out addresses from it's own pool of addresses (Cisco AnyConnect is a good example) the DHCP-only update method will be unreliable.

Therefore my advice is this with respect to dynamically allocated addressing:

If you're sure that all DNS updates will only come from the MS DHCP server then feel free to use updates via DHCP.
If using updates through MS DHCP, always configure specific credentials (just a regular user) to perform the updates in case you ever need to move the DHCP service.
Only use DhcpUpdateProxy if you can't possibly avoid it.
If you can't be sure that all updates will come from Microsoft DHCP, disable all DHCP updates and let clients update their own records (all you need do is disable the options in DHCP and this will happen). Your statically configured servers do this already.

Of course, nothing is perfect. If your estate is littered with non-MS devices you'll may find they won't be able to (securely) update DNS without DHCP's help. In that case you're back to considering whether you need those updates, or whether DhcpUpdateProxy is best.

Chris
0
 
LVL 8

Author Comment

by:Leo
ID: 40630402
If Static IP doesn't equate to a static DNS entry, then how would i know which machines are on static IP address?

Also we have a mixture of Windows, MAC, Unix and ubuntu machines.....so in that case dont use DhcpupdateProxy?

I am trying to find a way how to avoid DNS duplication once DNS savaging is done.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 40630409
Re: Static IP: From DNS? You don't, you have to have a CMDB that tells you such things :)

DhcpUpdateProxy might still be worth a try then (usage as described by Ace), the critical problem is whether or not you have other things providing addresses for clients.

Chris
0
 
LVL 8

Author Comment

by:Leo
ID: 40630461
so there is no way of knowing which addresses are static in DNS?

on the excel spreadsheet which got generated there are MX,A,SOA,NS records, but I cant see any difference between IP address and Record data, so i can safely delete Record data column?

Also UpdatedAtSerial whats that for?

I was trying to use this powershell script to export static DNS records, but its not working...it has two parts....the first part doesn't generates any data...

Import-module activedirectory
Get-ADComputer -filter * -properties IPv4Address | ? {$_.IPv4Address -like "152.98.*" -and $_.IPv4Address -like "10.10.*" } | select name, IP |
Export-Csv "c:\Test\NameAndIP.csv" -nti



Import-module activedirectory
$Computers = import-csv "c:\Test\NameAndIP.csv"
ForEach ($computer in $Computers) {
$computer.ComputerName
$computer.IPAddress
Get-WMIObject -class Win32_NetworkAdapterConfiguration -ComputerName $computer.ComputerName | ? { $_.DHCPEnabled -eq $false } | select computer.ComputerName, computer.IPAddress, DHCPEnabled |
Export-csv "c:\Test\DHPCDisabled.csv -NoTypeInformation -Append
}
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 40630500
> so there is no way of knowing which addresses are static in DNS?

Nope, it's not really any of the DNS servers business how you allocate addresses to clients. DNS only cares about the resource records it holds but it does nothing to verify the accuracy of that information (that's the administrators problem).

> so i can safely delete Record data column?

Yep, delete anything you don't need.

> Also UpdatedAtSerial whats that for?

The dnsRecord attribute contains a field which tells you the SOA serial number on the server which processed the update (at the time of the update).

It's useful if you happened to want to track updates, although actually doing so is still rather complicated (as you'd have to link up the SOA serial to a time and know the server which processed the update).

It's unlikely to be useful here and can safely be ignored.

> Get-ADComputer

Computer objects in AD don't track IP addresses. The IPv4Address attribute doesn't exist unless you happen to have extended the schema and implemented a means of populating that attribute. In short, it's not much use I'm afraid.

The second part will let you start to discover computers with static addresses assigned. It's limited to Windows machines (uses WMI) and may be slow because it has to wander off and ask each of the machines for that information individually.

The Select-Object part of it is a bit wrong though. You'll need something more like this:
$Computers = import-csv "c:\Test\NameAndIP.csv"
ForEach ($Computer in $Computers) {
  Get-WMIObject Win32_NetworkAdapterConfiguration -ComputerName $Computer.ComputerName -Filter "DHCPEnabled='FALSE' AND IPEnabled='TRUE'" |
    Select-Object @{n='ComputerName';e={ $Computer.ComputerName }}, IPAddress, DHCPEnabled |
    Export-csv "c:\Test\DHPCDisabled.csv -NoTypeInformation -Append
}

Open in new window

Chris
0
 
LVL 8

Author Comment

by:Leo
ID: 40630548
and TTL will just point out how long record will exist?
what does RecordClass and RecordDataLength represents?

so if i have to follow instructions on how to do scavenging? in steps of instructions, what it will be? and how to avoid DNS duplication in future?

Also does the second part of script is correct?
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 40630620
> and TTL will just point out how long record will exist?

Not quite. It determines how long remote systems cache that response (so Time To Live in a cache somewhere). This includes Microsoft-based client systems. You can see what they have cached with "ipconfig /displaydns".

> what does RecordClass and RecordDataLength represents?

Class will always be IN (Internet), you can ignore it. There are other classes, their use is a bit more specialised.

> RecordDataLength represents?

It's used to decode the dnsRecord, it tells us how long the DNS data is in bytes. It can be ignored here.

> so if i have to follow instructions on how to do scavenging?

As with DHCP it's guidance.

You stand the least chance of duplication if:

You have configured your dynamic update sources reasonably well (as discussed above).
You have consistent lease times across all dynamic address ranges (DHCP lease that is).
You configure the total Aging time (Refresh + No-Refresh) to equal that lease time.
You configure automatic-scavenging to run on a regular basis (I'd say once a day depending on the size of your DNS zone).

As an example, if my DHCP lease were 8 days I would go and set No-Refresh to 3 days and Refresh to 5 days. There's a good article which explains these intervals here:

http://blogs.technet.com/b/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be-patient.aspx

It does take time for it all to settle in and accuracy will always bit a bit of a best-effort thing. That said, I've run with the settings I've described in many different places with great success.

One final note, never set the Refresh interval lower than 24 hours. Your statically configured servers, including Domain Controllers, only refresh once every 24 hours so it'd have a high chance of knocking one out.

> Also does the second part of script is correct?

I haven't tested it. IPAddresses may appear as "System.Object[]" in the output file. It's safe to try and see though. Perhaps only on a couple of computers first though.

Chris
0
 
LVL 8

Author Comment

by:Leo
ID: 40632303
thanks for that article, i am going through it, where and how do you set No-Fresh and Refresh days?

Also on that article under "Scavenging settings on the Server", how can i see those settings, under MMC, i dont see the server snapin :-(
0
 
LVL 8

Author Comment

by:Leo
ID: 40632411
and to only allow set of servers to get scavenged, the command i found in that article is;
DNSCmd . /ZoneResetScavengeServers contoso.com 192.168.1.1 192.168.1.2
but what if i want to exclude servers from scavenging? means only select test servers in the start and exclude all others...because once you turn scavenging on under DNS, everything is going to get scavenged.
0
 
LVL 8

Author Comment

by:Leo
ID: 40632434
I found the settings under mmc for "Scavenging settings on the Server"
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 40632592
There are two sets of settings which dictate what can be scavenged.

The automatic scavenging process is the first, it makes the DNS server look at each of the zones, figure out if it can scavenge, then do so. It's a simple one, and should be run on one or two servers (but no more). You set that by opening the DNS console, selecting the server name, right clicking and opening Properties then choosing the Advanced tab.

The second dictates which zones can be scavenged and is the Aging settings. These are found by clicking on a zone (waiting for it to load) then opening Properties. Once there you will see an Aging button in the General tab.

The new window contains 3 options for you:

Scavenge stale resource records - This makes the zone eligible for scavenging.
No-Refresh Interval - Discussed above.
Refresh Interval - Discussed above.

You can only elect to enable or disable scavenging on a zone level. Aging settings are replicated between servers, you only need do this once and wait.

If you want to test everything I normally recommend this process:

1. Disable automatic scavenging on all DNS servers
2. Configure No-Refresh and Refresh intervals.
3. Enable Scavenge stale resource records
4. Audit records and remediate any hosts failing to register correctly.
5. Enable automatic scavenging.
6. Audit records and verify stale entries are being removed.

Audit the records using the methods we discussed right at the beginning. Stale records, that is records where the TimeStamp is older than "now" minus both the No-Refresh and Refresh would be removed by scavenging.

Note that accuracy of the audit is only guaranteed if you enable the Aging settings on the zone. Without this record timestamp changes do not reliably replicate between DCs. This is why you must disable automatic scavenging as a first step.

Once you're happy that the stale records do not represent your critical servers you can enable automatic scavenging.

You will not be able to immediately scavenge the zone, it gets locked away for a while (for the value of the Refresh Interval) to give everything the opportunity to update. To see this value select View / Advanced, then open the zone properties again and the Aging button once more. Now you will see a new box: "The zone can be scavenged after". Nothing will happen to any records until that date has passed.

It takes a long time for Scavenging to become active when you first enable it, after it's on and running you should find it looks after itself.

Chris
0
 
LVL 8

Author Comment

by:Leo
ID: 40632647
Thanks, but as you said turn on scavinging for one or two servers....how can I do that? Because when scavinging is enabled on a zone...it propagates to all rest of servers....so how can I only select one or two servers...and enable scavging and refresh rate on them?
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 40632660
When I say that I mean the automatic scavenging process under the server properties / Advanced in the DNS console. That's the setting that should be set on one, maybe two servers.

The Aging settings do replicate as you've noted, but on their on they do nothing (unless you manually start Scavenging).

Chris
0
 
LVL 8

Author Comment

by:Leo
ID: 40632680
Thats what iam bit confused about :-( sorry to ask the same question again....when you say.... "When I say that I mean the automatic scavenging process under the server properties / Advanced in the DNS console. That's the setting that should be set on one, maybe two servers."
so if its turned on lets say on a dns server DC01...which holds the role of DNS...once its turned on this...wouldn't it gets propagated to rest of DNS servers?
is there a way of turning on scavinging on a test server which doesn't hold the role of DNS?
And can you please tell me where do I have to set the refresh rate and non-refresh? I cant seem to find it :-(
0
 
LVL 70

Assisted Solution

by:Chris Dent
Chris Dent earned 500 total points
ID: 40632719
> so if its turned on lets say on a dns server DC01...which holds the role of DNS...once its turned on this...wouldn't it gets propagated to rest of DNS servers?

Nope :)

That's the setting that doesn't travel.

> is there a way of turning on scavinging on a test server which doesn't hold the role of DNS?

Nope, none of this can be configured without a DNS server I'm afraid.

> And can you please tell me where do I have to set the refresh rate and non-refresh? I cant seem to find it :-(

1. DNS Management console
2. Forward Lookup Zones
3. Select the zone you wish to configure (and wait for it to finish loading)
4. Properties
5. General tab
6. Aging button (towards the bottom)

Cheers,

Chris
0
 
LVL 8

Author Comment

by:Leo
ID: 40632862
Thanks again....
how can I  Disable automatic scavenging on all DNS servers?

Also i have almost completed a report, i will attach it soon for your review.....
0
 
LVL 8

Author Comment

by:Leo
ID: 40632912
kindly just check the follow of the procedure and let me know or amend the attached document.
DNSCleanOut.docx
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 40632962
I've added some comments to the document, please let me know if anything is not clear.

Chris
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 40632966
Ack sorry, attachment failure.

Chris
DNSCleanOut.docx
0
 
LVL 8

Author Comment

by:Leo
ID: 40632978
on one of your previous comments it says,
"Note that accuracy of the audit is only guaranteed if you enable the Aging settings on the zone. Without this record timestamp changes do not reliably replicate between DCs. This is why you must disable automatic scavenging as a first step.
Once you're happy that the stale records do not represent your critical servers you can enable automatic scavenging."
I am going to enable refresh rate as 7 days....by Stale Records you mean Deleted records, right?that can be determined after 7 days period, running the powershell script you provided.....and seeing which records have been missing?
0
 
LVL 70

Assisted Solution

by:Chris Dent
Chris Dent earned 500 total points
ID: 40632984
> by Stale Records you mean Deleted records

Nope, just records where the timestamp is very old (older than both of the two aging intervals added together).

Like stale bread, it only goes away if you chuck it, it's just less useful that it might have been before.

Chris
0
 
LVL 8

Author Comment

by:Leo
ID: 40633001
so the procedure i have uploaded, once dns scavenging is run, it will delete all the records which have old timestamp....and once i know it haven't deleted any dns records for servers i should enable Automatic Scavenging.....which is enabled as shown in attached picture?
Also the Audit procedure i uploaded, are the steps right?
AutoScvan.jpg
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 40633202
I couldn't see any problems with it although I haven't checked it rigorously.

Looks fairly reasonable otherwise I think.

Chris
0
 
LVL 8

Author Comment

by:Leo
ID: 40634825
I have made slight changes and attached again, kindly review it, my manager is quite picky....in finding out small mistakes....so kindly check it and let me know if its ok for me to submit it to him....
Scavenging-Addresses.docx
0
 
LVL 70

Assisted Solution

by:Chris Dent
Chris Dent earned 500 total points
ID: 40644102
Sorry, in the middle of a significant project, it's got first call on my time.

Looks good for the most part, this is the only one I'd like to comment on:

> Automatic Scavenging can be enabled on all domain controllers;

I recommend you enable this on one or, at most two, Domain Controllers. The changes performed by this task will replicate and realistically only one server and do this job anyway.

Good work.

Chris
0
 
LVL 8

Author Comment

by:Leo
ID: 40655619
My manager found a server from a cluster and he showed me that timestamp date on that server havent been updated in last 10 days....so applying no-refresh, fresh interval of 3 and 4 days, would have deleted that record :-(
dont know how that happened, i thought all server dns records timestamp gets updated every 24 hours.....
0
 
LVL 70

Assisted Solution

by:Chris Dent
Chris Dent earned 500 total points
ID: 40655938
You must enable ageing to get a true picture of the time stamp values. Partial replication of the record will break reporting otherwise.

If you enable ageing in such a manner, ensure that automatic scavenging is disabled everywhere first (of course). You want accuracy for reporting, but for no action to be taken.

Be mindful that the zone will be locked or 4 days (Refresh Interval) before scavenging could occur anyway so you have some breathing space. That's the date you see in the Next Available Scavenging time if you open the Ageing properties on a single zone.

If you then find servers aren't refreshing you will need to figure out why out before you run scavenging or enable automatic scavenging. The event logs on the server are the first port of call, if it's having trouble registering DNS records there will be an event logged.

Chris
0
 
LVL 8

Author Comment

by:Leo
ID: 40656001
Understand. ..question is how the server has a time stamp of 10 days back?
If scavenging is enabled in 3, 4 scenario. ..this server will get scavenged...right?
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 40656039
Yes, this is why you need the timestamps replicating properly (for accuracy). Then if your audit reveals that servers are not correctly updating it'll need to be investigated on an case-by-case basis.

For example, it could be that the server doesn't have permission to update the record, or it may have erroneous DNS servers listed in it's TCP/IP configuration.

Auditing impact and re-mediating any problems before making the real change is critical to give you confidence it won't wipe your business out for hours / days.

Chris
0
 
LVL 8

Author Comment

by:Leo
ID: 40656089
I understand. ..its just my manager has picked that I didnt covered that in my report....means auditing the servers time stamp before enabling dns scavenging. ...and he had made a big issue out of it...
Thats why I asked u to review before I submit :-(
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 40656160
There's only so much I can do unfortunately, short of writing the report for you. It's tempting to do so, but our writing styles are very different which leaves limited scope to change things.

Chris
0
 
LVL 8

Author Comment

by:Leo
ID: 40656251
I meant to say...the first thing which needs to be done is check time stamp for servers....and then set fresh and no refresh interval...
And I didnt ask to write report...I just asked to review it :-(
0
 
LVL 8

Author Comment

by:Leo
ID: 40657808
the point my manager pointed out, is that he showed me a server whose records are getting refreshed in 10 to 12 days....
so the setup i suggested after 7 days the server record would have been marked off for scavenging and on 8th, its record would have been deleted, and the Databases which are connected to that server, wouldn't be able to resolve its name or IP address.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 40658172
Yep, and as I said several times above, the audit process must identify those and address any problems before you enable scavenging.

It is very important to highlight that just enabling Ageing on its own does nothing. Only when you manually run scavenging or set-up automatic scavenging will changes be committed.

So surely the response is simply: "thank you, I'll investigate the problem before we consider enabling automatic scavenging or running a scavenging cycle".

Chris
0
 
LVL 8

Author Comment

by:Leo
ID: 40658532
so enabling fresh and no refresh scavenging wont delete any of the DNS records?
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 40658565
No, it won't do anything unless you also enable Automatic Scavenging or start Scavenging from the right-click context menu in the DNS console.

Chris
0
 
LVL 8

Author Comment

by:Leo
ID: 40658599
so what does the refresh and no-refresh interval do? i thought if i put 3 no-refresh and 4 fresh,  DHCP is set for 8 days....after 8 days any servers who havent updated there timestamp date, will get scavenged?
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 40658674
They set the rules, the scavenging process enforces them.

Chris
0
 
LVL 8

Author Comment

by:Leo
ID: 40658680
so clicking on Scavenge stale resource records and setting no refresh and fresh interval wouldnt delete any DNS records?
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 40661334
Ticking the Scavenge Stale records box and setting the refresh intervals only says what the rules are. Nothing happens until you execute the scavenging process.

Chris
0

Join & Write a Comment

Suggested Solutions

I've written instructions for one router type, but this principle may be useful for others of the same brand and even other brands of router. Problem: I had an issue especially with mobile devices that refused to use DNS information supplied via…
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now