• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 263
  • Last Modified:

dns scavenging

Hi,
I have to work on performing cleanup and removal of stale resource records, which can accumulate in zone data over time....so i need assistance from someone who have worked on it.....how they concluded the information they are taking out is right? means what was the test procedure....and how they cleaned it...
we have a mixture of 2003 and 2008 domain controllers....we want to decommission 2003 servers.
so what will be testing procedure and later on deploying procedure?
thanks
0
Leo
Asked:
Leo
  • 33
  • 24
  • 8
5 Solutions
 
MaheshArchitectCommented:
It doesn't matter if you have mix of 2003 and 2008, its not related to scavenging, you can set it up right away
There is no test procedure, setup scavenging and get final results directly
Set DNS scavenging on any one DC in domain (PDC probably)

Scavenging should be enabled on domain.com main dns zone and server level (server properties) also, otherwise it will not work
Also DNS zone must be set for dynamic update, otherwise scavenging will not work
Scavenging will not work for static DNS records, it only works for dynamic records (records having time stamp generated

Default scavenging duration is 7 days, however you should keep it half of DHCP scope duration.
If your DHCP scope duration is 1 day, do not set it 1 day (you should minimum set it to TWO Days, otherwise it might delete domain controller SRV records as they also are dynamic records, this will not happen normally because scavenging only scavenge records older than sum of refresh interval + no refresh interval
U will find DNS event 2501 which tells you about scavenging on server
I have assumed that you have DHCP server for leasing out client addresses
Also DHCP server also needs to be set accordingly
http://blogs.technet.com/b/askpfe/archive/2011/06/03/how-dns-scavenging-and-the-dhcp-lease-duration-relate.aspx
http://blogs.msmvps.com/acefekay/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group/

There are lots of Scavenging articles available on internet and on EE as well
http://blogs.technet.com/b/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be-patient.aspx
http://think-like-a-computer.com/2012/04/27/dns-scavenging/
U will find lots of QA on EE itself.
0
 
LeoAuthor Commented:
Hi, thanks for the info, i will list out few settings which can direct to finding more information on it.....
For our DNS its set to Dynamic Update-->Secure Only.
Under DHCP, domain properties-->DNS Tab-->Enable DNS Dynamic updates according to the settings below-->Dynamically update DNS A and PTR records is checked.
Discard A and PTR records when lease is deleted is checked.
Scope options for DHCP is set to 8 days.

How can i create a test procedure for it? means what are the implication of turning that on, and where it can affect? and if something does get affected, how can i revert it back?
0
 
MaheshArchitectCommented:
Like I said earlier there is no test procedure

For 8 days of DHCP scope duration, you could set scavenging for 4 days
There is nothing any harm in that

Also you can force manual scavenging by running below command:
dnscmd <servername> /StartScavenging

Note that this will also delete only those records which are eligible for scavenging

You can turn off scavenging any time by deselecting the scavenging check box
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
LeoAuthor Commented:
is there a way, a script can be setup which can run this command "dnscmd <servername> /StartScavenging" in combination with some other script which can report which DNS records have been cleared....
in that way its monitored and can be documented....
0
 
MaheshArchitectCommented:
When scavenging command runs periodically \ manually, dns event 2501 is logged which shows what items got deleted
https://technet.microsoft.com/en-us/library/ee783621(v=ws.10).aspx

You can collect all 2501 DNS events to get list of records deleted
0
 
LeoAuthor Commented:
That Event log i.e. 2501...it doesnt log the DNS records which get deleted....
it just creates an alert that it has deleted a record....but there is no record of it....
i need to do it in controlled environment.,,i need to know which records get deleted....and it should get reported.....
0
 
MaheshArchitectCommented:
You can track dns record deletion
U need to enable auditing in default domain controller policy for directory services and then enable auditing on actual zone
http://blogs.technet.com/b/networking/archive/2011/08/17/tracking-dns-record-deletion.aspx

However still you will not get exactly what you want
0
 
LeoAuthor Commented:
"Object Name" event information wont tell which DNS record has been deleted?
those event IDs can be configured to be sent on an email address...right?
0
 
MaheshArchitectCommented:
Yes, you can
0
 
LeoAuthor Commented:
"Object Name" event information wont tell which DNS record has been deleted?
0
 
MaheshArchitectCommented:
yes, I think  you will not get what you are looking for
0
 
LeoAuthor Commented:
:-( then how can i get that information? there should be a way....
0
 
MaheshArchitectCommented:
Right now I am not in position to test this in quick way
 Some else expert might help you
0
 
LeoAuthor Commented:
I am not sure who to contact to have a look at this question....can you please suggest or ask other experts to view this question.
thanks.
0
 
MaheshArchitectCommented:
You can click at "Request Attention" at the end of your question and you can ask moderator for more help so that he will forward this question to more experts

I still believe that you will not achieve this out of the box and some kind of customization would be required
0
 
Chris DentPowerShell DeveloperCommented:
The problem you'll have is that nothing is actually deleted during the scavenging process (in AD terms). Instead each removed record is tombstoned (dnsTombstoned is set to TRUE) and the dnsRecord attribute is modified to reflect a null entry.

The AD object for DNS records is complex at best, dnsRecord can be multi-valued (for example, if you have more than one A record for a name), so the net result of scavenging may only be removal of one entry from dnsRecord. Or it may remove the AD object entirely. It depends, it's not reliable, you should not rely on it for auditing.

So where does this leave you?

You could have full auditing turned on and watch for changes to dnsTombstoned in AD. This would get you a change log for a particular AD object (which will show you resource name even if it doesn't show the resource detail). That is, if you had "SomeEntry IN A 1.2.3.4" you would see SomeEntry was deleted, but not the original record data.

Similarly you could watch for changes to the dnsRecord attribute, but the dnsRecord attribute takes some decoding (I've done it, http://www.indented.co.uk/2009/06/18/mapping-the-dnsrecord-attribute/).

Finally, you might consider simply running a regular export of the DNS zone (dnscmd / WMI / anything goes) and running comparisons on that.

Chris
0
 
LeoAuthor Commented:
Thanks for your post....
Can you please brief me out how can i turn on full Auditing and get alerted whenever there is a change in DNS?
and when you said "That is, if you had "SomeEntry IN A 1.2.3.4" you would see SomeEntry was deleted, but not the original record data." so it wont specify which exact entry was deleted? is there a way of knowing it?

Also the link you posted above....in that there is a power-shell script, can you please brief out what does it accomplish? and whether any modifications are required in that....i had a look at it, it doesn't seem to look like it needs any alterations....

http://theessentialexchange.com/blogs/michael/archive/2009/12/22/getting-the-contents-of-an-active-directory-integrated-dns-zone-version-2.aspx
0
 
Chris DentPowerShell DeveloperCommented:
The auditing you can do is limited to Active Directory auditing by setting an appropriate SACL (Audit access control list) on the DNS zones in Active Directory. By extension, this kind of auditing can only apply to AD Integrated Zones.

At that point the normal AD object change audit controls come into play, you'll get event log messages as described here:

https://technet.microsoft.com/en-us/library/cc731607%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

This is limited because the AD audit engine won't decode the values in dnsRecord for you (which is where the record type and record data are held). Therefore you simply cannot track changes to the content of individual records using this method (only that the node / record name was changed in some way).

In short it does half the job of change auditing and isn't really suitable for the DNS system which uses AD as a data store / replication method only.

> so it wont specify which exact entry was deleted? is there a way of knowing it?

I know of no other built-in mechanism to accurately track changes to MS DNS unfortunately. It's certainly not exposed in the GUI / registry / dnscmd.

Michael's script is good for dnsRecord, we were both working on the decode at the same time and he was kind enough to credit me for my work although the URL for my site in the first paragraph is out of date :)

I have my own version of Michael's script includes full decoding of dnsProperty in addition to everything in dnsRecord. CmdLets for this are present in both versions of my DNS module:

DnsShell: http://dnsshell.codeplex.com/
Indented.Dns: http://www.indented.co.uk/indented-dns/

Both contain the code required to read DNS records from Active Directory. The latter has a better resolver (Get-Dns), slightly improved AD support (Get-ADDns*) and is "just" PowerShell, but is missing the DNS management part (Get-DnsRecord, Set-DnsRecord, etc). Time is a bit of a challenge at the moment unfortunately.

Chris
0
 
Chris DentPowerShell DeveloperCommented:
Sorry, a couple more notes.

The things you'd need to be mindful of in Michael's script (or any script) is where DNS data is actually stored. There are a minimum of three different locations in AD:

All Domain Controllers in the Domain: CN=MicrosoftDNS,CN=System,DC=domain,DC=example
All DNS Servers in the Domain: DC=DomainDnsZones,DC=domain,DC=example
All DNS Servers in the Forest: DC=ForestDnsZones,DC=domain,DC=example

In the last the domain component will always be the forest root domain.

Michael's script assumes you're using the first of those, All Domain Controllers in the Domain. In this case you can see DNS records if you hit View / Advanced in AD Users and Computers then expand the System folder.

This is the relevant section of code:
	$root = [ADSI]"LDAP://RootDSE"
	$defaultNC = $root.defaultNamingContext

	$dn = "LDAP://"
	if ($dc) { $dn += $dc + "/" }
	$dn += "DC=" + $zone + ",CN=MicrosoftDNS,CN=System," + $defaultNC

Open in new window

In my module Get-ADDnsPartition attempts to help you find all these different places and can be piped straight into Get-ADDnsZone and then into Get-ADDnsRecord. Let me know if you wish to try that out and I'll provide more detailed instruction should you need it.

Chris
0
 
LeoAuthor Commented:
Thanks for your reply.
Regarding The auditing and setting up SACL (Audit access control list) on the DNS zones in Active Directory. This will require extension of AD? so would it be worthwhile in doing that?
Also i wish to try out your module, kindly guide me through which of your modules will be useful in my case, and how to use them.
thanks.
0
 
Chris DentPowerShell DeveloperCommented:
No extension, just standard object auditing controls, all built in.

If you're using the newer modules you'll need this one:

http://www.indented.co.uk/indented-common/

Then this one:

http://www.indented.co.uk/indented-dns/

Once you've downloaded them (manual download instructions are on each page) you would run:

Import-Module Indented.Dns

Then we can head right in and try this:
Get-ADDnsZone yourdomain.com

Open in new window

If you get your forward lookup zone back in the list above we can immediately move onto this:
Get-ADDnsZone yourdomain.com | Get-ADDnsRecord

Open in new window

If you see lots of DNS records in response the output from that can be sent to a CSV file like this:
Get-ADDnsZone yourdomain.com | Get-ADDnsRecord | Export-Csv DnsRecords.csv -NoTypeInformation

Open in new window

If it doesn't work you can try this which goes looking for your DNS zone:
Get-ADDnsPartition | Get-ADDnsZone yourdomain.com | Get-ADDnsRecord

Open in new window

Finally, if that works Export-Csv can be used to drop that out to a text file.

Chris
0
 
LeoAuthor Commented:
Hi,
I tried this "Get-ADDnsZone yourdomain.com | Get-ADDnsRecord | Export-Csv DnsRecords.csv -NoTypeInformation"
It gave some errors ....

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Export-Csv], ParameterBindingV
   alidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,M
   icrosoft.PowerShell.Commands.ExportCsvCommand

Export-Csv : Cannot bind argument to parameter 'InputObject' because it is
null.
At line:1 char:49
+ Get-ADDnsZone domain.com | Get-ADDnsRecord | Export-Csv
C:\Test\DnsRecords.cs ...
+

but it did generated the CSV file with 2145 records.....So i believe it generated all the records? i run the second script as well, it had the same number of records with same error.

Now in the CSV file, Can you please brief me more on whats the difference between IP address and Record Data?
Also in DNSTombstone, if some records are marked as False, what does it mean?
and what does UpdateAtSerial and Record Data length represents?

Thanks.
0
 
LeoAuthor Commented:
and for some of the computers the TimeStamp field is blank.
0
 
Chris DentPowerShell DeveloperCommented:
In reverse order:

If the TimeStamp field is blank the record is static (has been manually added to the DNS console) and will never be scavenged.

RecordData is included to allow a consistent output format when different record types are being handled. For the A and AAAA records there is no difference between RecordData and IPAddress, they're nice simple record types.

DNSTombStoned effectively has 3 values:

TRUE - Record removed, waiting for the tombstone period to lapse before deletion.
FALSE - At some point was deleted, but the action was reversed (let's say something deleted or de-registered the name, then something else came along and registered it).
Empty - dNSTombstone has never been set.

> It gave some errors ....

A bug I'll have to fix by the sounds of it. You should be able to correlate the record count with the graphical user interface (DNS management / your zone / Export List, if that gives you the same number of records we can ignore the error for now.

If not I'll have to attempt to reproduce the error and fix the code. Apologies for the significant inconvenience.

Chris
0
 
LeoAuthor Commented:
Thanks, what will be best way to export DNS records to a CSV file?
and there are some servers which are have static IP but in the exported CSV file they have a timestamp?

and would you recommend the DHCP option in the first part of this website that it can be applied?

http://blogs.msmvps.com/acefekay/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group/
0
 
Chris DentPowerShell DeveloperCommented:
The CmdLets above and Export-Csv provided the error message is something we can ignore until I have time to fix it.

Static IP doesn't equate to a static DNS entry. That is, servers with static IP addresses will dynamically register a DNS record and attempt to refresh that every 24 hours (by default). As such the record will have a timestamp and may be scavenged if it becomes inactive.

DHCP updates is one of those things that doesn't have much of a definite answer, only a bunch of guidance.

Do you use MS DHCP for all dynamic address allocation?

If, for instance, you had a VPN client which handed out addresses from it's own pool of addresses (Cisco AnyConnect is a good example) the DHCP-only update method will be unreliable.

Therefore my advice is this with respect to dynamically allocated addressing:

If you're sure that all DNS updates will only come from the MS DHCP server then feel free to use updates via DHCP.
If using updates through MS DHCP, always configure specific credentials (just a regular user) to perform the updates in case you ever need to move the DHCP service.
Only use DhcpUpdateProxy if you can't possibly avoid it.
If you can't be sure that all updates will come from Microsoft DHCP, disable all DHCP updates and let clients update their own records (all you need do is disable the options in DHCP and this will happen). Your statically configured servers do this already.

Of course, nothing is perfect. If your estate is littered with non-MS devices you'll may find they won't be able to (securely) update DNS without DHCP's help. In that case you're back to considering whether you need those updates, or whether DhcpUpdateProxy is best.

Chris
0
 
LeoAuthor Commented:
If Static IP doesn't equate to a static DNS entry, then how would i know which machines are on static IP address?

Also we have a mixture of Windows, MAC, Unix and ubuntu machines.....so in that case dont use DhcpupdateProxy?

I am trying to find a way how to avoid DNS duplication once DNS savaging is done.
0
 
Chris DentPowerShell DeveloperCommented:
Re: Static IP: From DNS? You don't, you have to have a CMDB that tells you such things :)

DhcpUpdateProxy might still be worth a try then (usage as described by Ace), the critical problem is whether or not you have other things providing addresses for clients.

Chris
0
 
LeoAuthor Commented:
so there is no way of knowing which addresses are static in DNS?

on the excel spreadsheet which got generated there are MX,A,SOA,NS records, but I cant see any difference between IP address and Record data, so i can safely delete Record data column?

Also UpdatedAtSerial whats that for?

I was trying to use this powershell script to export static DNS records, but its not working...it has two parts....the first part doesn't generates any data...

Import-module activedirectory
Get-ADComputer -filter * -properties IPv4Address | ? {$_.IPv4Address -like "152.98.*" -and $_.IPv4Address -like "10.10.*" } | select name, IP |
Export-Csv "c:\Test\NameAndIP.csv" -nti



Import-module activedirectory
$Computers = import-csv "c:\Test\NameAndIP.csv"
ForEach ($computer in $Computers) {
$computer.ComputerName
$computer.IPAddress
Get-WMIObject -class Win32_NetworkAdapterConfiguration -ComputerName $computer.ComputerName | ? { $_.DHCPEnabled -eq $false } | select computer.ComputerName, computer.IPAddress, DHCPEnabled |
Export-csv "c:\Test\DHPCDisabled.csv -NoTypeInformation -Append
}
0
 
Chris DentPowerShell DeveloperCommented:
> so there is no way of knowing which addresses are static in DNS?

Nope, it's not really any of the DNS servers business how you allocate addresses to clients. DNS only cares about the resource records it holds but it does nothing to verify the accuracy of that information (that's the administrators problem).

> so i can safely delete Record data column?

Yep, delete anything you don't need.

> Also UpdatedAtSerial whats that for?

The dnsRecord attribute contains a field which tells you the SOA serial number on the server which processed the update (at the time of the update).

It's useful if you happened to want to track updates, although actually doing so is still rather complicated (as you'd have to link up the SOA serial to a time and know the server which processed the update).

It's unlikely to be useful here and can safely be ignored.

> Get-ADComputer

Computer objects in AD don't track IP addresses. The IPv4Address attribute doesn't exist unless you happen to have extended the schema and implemented a means of populating that attribute. In short, it's not much use I'm afraid.

The second part will let you start to discover computers with static addresses assigned. It's limited to Windows machines (uses WMI) and may be slow because it has to wander off and ask each of the machines for that information individually.

The Select-Object part of it is a bit wrong though. You'll need something more like this:
$Computers = import-csv "c:\Test\NameAndIP.csv"
ForEach ($Computer in $Computers) {
  Get-WMIObject Win32_NetworkAdapterConfiguration -ComputerName $Computer.ComputerName -Filter "DHCPEnabled='FALSE' AND IPEnabled='TRUE'" |
    Select-Object @{n='ComputerName';e={ $Computer.ComputerName }}, IPAddress, DHCPEnabled |
    Export-csv "c:\Test\DHPCDisabled.csv -NoTypeInformation -Append
}

Open in new window

Chris
0
 
LeoAuthor Commented:
and TTL will just point out how long record will exist?
what does RecordClass and RecordDataLength represents?

so if i have to follow instructions on how to do scavenging? in steps of instructions, what it will be? and how to avoid DNS duplication in future?

Also does the second part of script is correct?
0
 
Chris DentPowerShell DeveloperCommented:
> and TTL will just point out how long record will exist?

Not quite. It determines how long remote systems cache that response (so Time To Live in a cache somewhere). This includes Microsoft-based client systems. You can see what they have cached with "ipconfig /displaydns".

> what does RecordClass and RecordDataLength represents?

Class will always be IN (Internet), you can ignore it. There are other classes, their use is a bit more specialised.

> RecordDataLength represents?

It's used to decode the dnsRecord, it tells us how long the DNS data is in bytes. It can be ignored here.

> so if i have to follow instructions on how to do scavenging?

As with DHCP it's guidance.

You stand the least chance of duplication if:

You have configured your dynamic update sources reasonably well (as discussed above).
You have consistent lease times across all dynamic address ranges (DHCP lease that is).
You configure the total Aging time (Refresh + No-Refresh) to equal that lease time.
You configure automatic-scavenging to run on a regular basis (I'd say once a day depending on the size of your DNS zone).

As an example, if my DHCP lease were 8 days I would go and set No-Refresh to 3 days and Refresh to 5 days. There's a good article which explains these intervals here:

http://blogs.technet.com/b/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be-patient.aspx

It does take time for it all to settle in and accuracy will always bit a bit of a best-effort thing. That said, I've run with the settings I've described in many different places with great success.

One final note, never set the Refresh interval lower than 24 hours. Your statically configured servers, including Domain Controllers, only refresh once every 24 hours so it'd have a high chance of knocking one out.

> Also does the second part of script is correct?

I haven't tested it. IPAddresses may appear as "System.Object[]" in the output file. It's safe to try and see though. Perhaps only on a couple of computers first though.

Chris
0
 
LeoAuthor Commented:
thanks for that article, i am going through it, where and how do you set No-Fresh and Refresh days?

Also on that article under "Scavenging settings on the Server", how can i see those settings, under MMC, i dont see the server snapin :-(
0
 
LeoAuthor Commented:
and to only allow set of servers to get scavenged, the command i found in that article is;
DNSCmd . /ZoneResetScavengeServers contoso.com 192.168.1.1 192.168.1.2
but what if i want to exclude servers from scavenging? means only select test servers in the start and exclude all others...because once you turn scavenging on under DNS, everything is going to get scavenged.
0
 
LeoAuthor Commented:
I found the settings under mmc for "Scavenging settings on the Server"
0
 
Chris DentPowerShell DeveloperCommented:
There are two sets of settings which dictate what can be scavenged.

The automatic scavenging process is the first, it makes the DNS server look at each of the zones, figure out if it can scavenge, then do so. It's a simple one, and should be run on one or two servers (but no more). You set that by opening the DNS console, selecting the server name, right clicking and opening Properties then choosing the Advanced tab.

The second dictates which zones can be scavenged and is the Aging settings. These are found by clicking on a zone (waiting for it to load) then opening Properties. Once there you will see an Aging button in the General tab.

The new window contains 3 options for you:

Scavenge stale resource records - This makes the zone eligible for scavenging.
No-Refresh Interval - Discussed above.
Refresh Interval - Discussed above.

You can only elect to enable or disable scavenging on a zone level. Aging settings are replicated between servers, you only need do this once and wait.

If you want to test everything I normally recommend this process:

1. Disable automatic scavenging on all DNS servers
2. Configure No-Refresh and Refresh intervals.
3. Enable Scavenge stale resource records
4. Audit records and remediate any hosts failing to register correctly.
5. Enable automatic scavenging.
6. Audit records and verify stale entries are being removed.

Audit the records using the methods we discussed right at the beginning. Stale records, that is records where the TimeStamp is older than "now" minus both the No-Refresh and Refresh would be removed by scavenging.

Note that accuracy of the audit is only guaranteed if you enable the Aging settings on the zone. Without this record timestamp changes do not reliably replicate between DCs. This is why you must disable automatic scavenging as a first step.

Once you're happy that the stale records do not represent your critical servers you can enable automatic scavenging.

You will not be able to immediately scavenge the zone, it gets locked away for a while (for the value of the Refresh Interval) to give everything the opportunity to update. To see this value select View / Advanced, then open the zone properties again and the Aging button once more. Now you will see a new box: "The zone can be scavenged after". Nothing will happen to any records until that date has passed.

It takes a long time for Scavenging to become active when you first enable it, after it's on and running you should find it looks after itself.

Chris
0
 
LeoAuthor Commented:
Thanks, but as you said turn on scavinging for one or two servers....how can I do that? Because when scavinging is enabled on a zone...it propagates to all rest of servers....so how can I only select one or two servers...and enable scavging and refresh rate on them?
0
 
Chris DentPowerShell DeveloperCommented:
When I say that I mean the automatic scavenging process under the server properties / Advanced in the DNS console. That's the setting that should be set on one, maybe two servers.

The Aging settings do replicate as you've noted, but on their on they do nothing (unless you manually start Scavenging).

Chris
0
 
LeoAuthor Commented:
Thats what iam bit confused about :-( sorry to ask the same question again....when you say.... "When I say that I mean the automatic scavenging process under the server properties / Advanced in the DNS console. That's the setting that should be set on one, maybe two servers."
so if its turned on lets say on a dns server DC01...which holds the role of DNS...once its turned on this...wouldn't it gets propagated to rest of DNS servers?
is there a way of turning on scavinging on a test server which doesn't hold the role of DNS?
And can you please tell me where do I have to set the refresh rate and non-refresh? I cant seem to find it :-(
0
 
Chris DentPowerShell DeveloperCommented:
> so if its turned on lets say on a dns server DC01...which holds the role of DNS...once its turned on this...wouldn't it gets propagated to rest of DNS servers?

Nope :)

That's the setting that doesn't travel.

> is there a way of turning on scavinging on a test server which doesn't hold the role of DNS?

Nope, none of this can be configured without a DNS server I'm afraid.

> And can you please tell me where do I have to set the refresh rate and non-refresh? I cant seem to find it :-(

1. DNS Management console
2. Forward Lookup Zones
3. Select the zone you wish to configure (and wait for it to finish loading)
4. Properties
5. General tab
6. Aging button (towards the bottom)

Cheers,

Chris
0
 
LeoAuthor Commented:
Thanks again....
how can I  Disable automatic scavenging on all DNS servers?

Also i have almost completed a report, i will attach it soon for your review.....
0
 
LeoAuthor Commented:
kindly just check the follow of the procedure and let me know or amend the attached document.
DNSCleanOut.docx
0
 
Chris DentPowerShell DeveloperCommented:
I've added some comments to the document, please let me know if anything is not clear.

Chris
0
 
Chris DentPowerShell DeveloperCommented:
Ack sorry, attachment failure.

Chris
DNSCleanOut.docx
0
 
LeoAuthor Commented:
on one of your previous comments it says,
"Note that accuracy of the audit is only guaranteed if you enable the Aging settings on the zone. Without this record timestamp changes do not reliably replicate between DCs. This is why you must disable automatic scavenging as a first step.
Once you're happy that the stale records do not represent your critical servers you can enable automatic scavenging."
I am going to enable refresh rate as 7 days....by Stale Records you mean Deleted records, right?that can be determined after 7 days period, running the powershell script you provided.....and seeing which records have been missing?
0
 
Chris DentPowerShell DeveloperCommented:
> by Stale Records you mean Deleted records

Nope, just records where the timestamp is very old (older than both of the two aging intervals added together).

Like stale bread, it only goes away if you chuck it, it's just less useful that it might have been before.

Chris
0
 
LeoAuthor Commented:
so the procedure i have uploaded, once dns scavenging is run, it will delete all the records which have old timestamp....and once i know it haven't deleted any dns records for servers i should enable Automatic Scavenging.....which is enabled as shown in attached picture?
Also the Audit procedure i uploaded, are the steps right?
AutoScvan.jpg
0
 
Chris DentPowerShell DeveloperCommented:
I couldn't see any problems with it although I haven't checked it rigorously.

Looks fairly reasonable otherwise I think.

Chris
0
 
LeoAuthor Commented:
I have made slight changes and attached again, kindly review it, my manager is quite picky....in finding out small mistakes....so kindly check it and let me know if its ok for me to submit it to him....
Scavenging-Addresses.docx
0
 
Chris DentPowerShell DeveloperCommented:
Sorry, in the middle of a significant project, it's got first call on my time.

Looks good for the most part, this is the only one I'd like to comment on:

> Automatic Scavenging can be enabled on all domain controllers;

I recommend you enable this on one or, at most two, Domain Controllers. The changes performed by this task will replicate and realistically only one server and do this job anyway.

Good work.

Chris
0
 
LeoAuthor Commented:
My manager found a server from a cluster and he showed me that timestamp date on that server havent been updated in last 10 days....so applying no-refresh, fresh interval of 3 and 4 days, would have deleted that record :-(
dont know how that happened, i thought all server dns records timestamp gets updated every 24 hours.....
0
 
Chris DentPowerShell DeveloperCommented:
You must enable ageing to get a true picture of the time stamp values. Partial replication of the record will break reporting otherwise.

If you enable ageing in such a manner, ensure that automatic scavenging is disabled everywhere first (of course). You want accuracy for reporting, but for no action to be taken.

Be mindful that the zone will be locked or 4 days (Refresh Interval) before scavenging could occur anyway so you have some breathing space. That's the date you see in the Next Available Scavenging time if you open the Ageing properties on a single zone.

If you then find servers aren't refreshing you will need to figure out why out before you run scavenging or enable automatic scavenging. The event logs on the server are the first port of call, if it's having trouble registering DNS records there will be an event logged.

Chris
0
 
LeoAuthor Commented:
Understand. ..question is how the server has a time stamp of 10 days back?
If scavenging is enabled in 3, 4 scenario. ..this server will get scavenged...right?
0
 
Chris DentPowerShell DeveloperCommented:
Yes, this is why you need the timestamps replicating properly (for accuracy). Then if your audit reveals that servers are not correctly updating it'll need to be investigated on an case-by-case basis.

For example, it could be that the server doesn't have permission to update the record, or it may have erroneous DNS servers listed in it's TCP/IP configuration.

Auditing impact and re-mediating any problems before making the real change is critical to give you confidence it won't wipe your business out for hours / days.

Chris
0
 
LeoAuthor Commented:
I understand. ..its just my manager has picked that I didnt covered that in my report....means auditing the servers time stamp before enabling dns scavenging. ...and he had made a big issue out of it...
Thats why I asked u to review before I submit :-(
0
 
Chris DentPowerShell DeveloperCommented:
There's only so much I can do unfortunately, short of writing the report for you. It's tempting to do so, but our writing styles are very different which leaves limited scope to change things.

Chris
0
 
LeoAuthor Commented:
I meant to say...the first thing which needs to be done is check time stamp for servers....and then set fresh and no refresh interval...
And I didnt ask to write report...I just asked to review it :-(
0
 
LeoAuthor Commented:
the point my manager pointed out, is that he showed me a server whose records are getting refreshed in 10 to 12 days....
so the setup i suggested after 7 days the server record would have been marked off for scavenging and on 8th, its record would have been deleted, and the Databases which are connected to that server, wouldn't be able to resolve its name or IP address.
0
 
Chris DentPowerShell DeveloperCommented:
Yep, and as I said several times above, the audit process must identify those and address any problems before you enable scavenging.

It is very important to highlight that just enabling Ageing on its own does nothing. Only when you manually run scavenging or set-up automatic scavenging will changes be committed.

So surely the response is simply: "thank you, I'll investigate the problem before we consider enabling automatic scavenging or running a scavenging cycle".

Chris
0
 
LeoAuthor Commented:
so enabling fresh and no refresh scavenging wont delete any of the DNS records?
0
 
Chris DentPowerShell DeveloperCommented:
No, it won't do anything unless you also enable Automatic Scavenging or start Scavenging from the right-click context menu in the DNS console.

Chris
0
 
LeoAuthor Commented:
so what does the refresh and no-refresh interval do? i thought if i put 3 no-refresh and 4 fresh,  DHCP is set for 8 days....after 8 days any servers who havent updated there timestamp date, will get scavenged?
0
 
Chris DentPowerShell DeveloperCommented:
They set the rules, the scavenging process enforces them.

Chris
0
 
LeoAuthor Commented:
so clicking on Scavenge stale resource records and setting no refresh and fresh interval wouldnt delete any DNS records?
0
 
Chris DentPowerShell DeveloperCommented:
Ticking the Scavenge Stale records box and setting the refresh intervals only says what the rules are. Nothing happens until you execute the scavenging process.

Chris
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

  • 33
  • 24
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now