Turn on ageing but not scavenging

DNS ageing without scavenging
As a preliminary phase, prior to enabling scavenging, I want to start replicating the timestamps of Microsoft Active-Directory-Integrated zone.
All my DNS servers are Global Catalog & Domain Controllers.
From my research, the way to replicate the timestamps on records is to enable Ageing/Scavenging on the targeted Zone, but NOT enable scavenging on the Servers.
Is this correct?
Also, are secure dynamic updates a requirement? I currently have "allow non secure dynamic updates" set at the zone.

Once all my timestamps are coordinated I will enable the scavenging on the "PDC" domain controller only.
Thanks in advance.
My servers are 2008, 2012 and 2016
challBOEAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

SeanSystem EngineerCommented:
No you will need to enable scavenging otherwise the records that have the old date won't get deleted, therefor the timestamp will be incorrect. Basically the way it works is regardless the timestamp is replicated but because it doesn't get deleted, it doesn't update because it's still resolving to the correct host. You need to enable both for the timestamps to be correct across all DNS servers.

here is a thread for further information that might explain more.

https://social.technet.microsoft.com/Forums/windowsserver/en-US/5c69b7b6-ce8e-49c6-aaf3-2da5c587dd52/dns-record-timestamp-replication?forum=winserverNIS
footechCommented:
Yes, that's correct.  For each server make sure the box is not checked for "enabled automatic scavenging of stale records".
Secure dynamic updates are not a requirement.  Any record created dynamically will get a timestamp.
footechCommented:
Sean - the records with the old timestamp do not need to be deleted for the timestamp to be replicated to other servers.  All that is needed is for the zone to have ageing enabled.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

MaheshArchitectCommented:
From my research, the way to replicate the timestamps on records is to enable Ageing/Scavenging on the targeted Zone, but NOT enable scavenging on the Servers.

Your research is not correct, the scavenging technology is pretty old since 2003 server and well documented

DNS zone replicates among DC servers as long as its AD integrated and replicate everything along with time stamp regardless of scavenging is enabled or not, by default all dynamic records have time stamp, scavenging needs to be enabled to keep dns zone data current / up to date
By default ageing is enabled on all dynamic records, but when you enable scavenging on zone, then only ageing have some meaning as after scavenging cycle runs, aged records beyond scavenging period gets deleted

Enabling scavenging is two step process.
1 enable scavenging only on primary dns zone (AD integrated) such as contoso.com which is zone for your AD domain contoso.com, once enabled on any one server, it will get replicated to other domain controllers which also hosting contoso.com zone copy
2 further scavenging needs to be enabled on any one server (preferably PDC) only.

Secure dynamic updates ensures that records are modified by authenticated clients only. so you should set that. It will avoid modifying dns zone data by unauthorized means
footechCommented:
I have always followed the guidance in https://blogs.technet.microsoft.com/networking/2008/03/19/dont-be-afraid-of-dns-scavenging-just-be-patient/

The timestamp may get updated on the server where the client dynamically registers but it will not replicate around to the other servers in the zone.
The statement seems pretty clear.

Now to be fair, I haven't had to enable scavenging on an in-use environment for a few years, so my memory could be faulty, but my recollection is that before ageing was turned on for a zone, if you looked at a particular record it would have one timestamp on one server and then a different timestamp on another server.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MaheshArchitectCommented:
No
The stament is contradicting itself, copied entire paragraph from article you posted
Once a timestamp is set on a record it will replicate around to all servers that host the zone.  There is one caveat to this.  If scavenging is not enabled on the zone that hosts the record then it will never scavenge so the timestamp is essentially irrelevant.  The timestamp may get updated on the server where the client dynamically registers but it will not replicate around to the other servers in the zone.

The point here is scavenging process happens only on single server, if time stamp did not replicates among servers, then scavenging process is not useful at all, in short it will create issues only
When there is any change in dynamically updated record or any other parameter of record, USN value of the zone SOA record  gets increased on that server and then other server start polling updated data from that server and thus time stamp gets updated
If this is not the case, it will malfunction DNS
challBOEAuthor Commented:
I turned on scavenging on the particular zone.  I manually set it a few of the servers, but it appears to have propagated the setting to "scavenge/age" for that zone, to all the dcs.
TimeStamps are now being properly synched between the servers.

Now I think I need to use the DNSCmd to enable only ONE server to do the actual deletions ( I need to look up that command).
However, I ran this informational command:
DNSCMD /zoneinfo _msdcs.MyZone.com
And got this result, note
Zone info:
        ptr                   = 0000018A59337720
        zone name             = _msdcs.MyZone.com
        zone type             = 1
        shutdown              = 0
        paused                = 0
        update                = 1
        DS integrated         = 1
        read only zone        = 0
        in DS loading queue   = 0
        currently DS loading  = 0
        data file             = (null)
        using WINS            = 0
        using Nbstat          = 0
        aging                 = 0
          refresh interval    = 168
          no refresh          = 168
          scavenge available  = 0
        Zone Masters    NULL IP Array.
        Zone Secondaries        NULL IP Array.
        secure secs           = 3
        directory partition   = AD-Forest     flags 00000019
        zone DN               = DC=_msdcs.MyZone.com,cn=MicrosoftDNS,DC=ForestDnsZones,DC=MyZone,DC=com
footechCommented:
I could point to another Microsoft blog that also says DNS time stamps are not updated in Active Directory until you turn on scavenging on a zone.
if time stamp did not replicates among servers, then scavenging process is not useful at all
I never said that it doesn't replicate, just that it doesn't replicate for a zone until ageing is turned on for that zone.  If ageing is not turned on for a zone, then it's not eligible to be scavenged, and there's no point in replicating the timestamps.  But it's not important to argue the point further.

Once ageing is turned on for a zone, that setting replicates so if you look on other servers you see the same thing.
Scavenging process happens on any server that has it turned on.
You don't need dnscmd to turn on scavenging.  You can just go to the properties of the server in the DNS Management console > Advanced tab > check the box "enable automatic scavenging of stale records".  You would only need the dnscmd if you wanted to set specific servers to scavenge a specific zone.  Otherwise, the servers that have the box checked will scavenge all zones that have ageing enabled.
challBOEAuthor Commented:
Setting Ageing/scavenging on the zone did cause synchronization of timestamps.
I will set actual scavenging on just the PDC-emulator after the expiration date, just to see if there are deletions without setting scavenging at the server level. I have a daily DNS backup of each server just in case.
Thank you both.
MaheshArchitectCommented:
That's not true, time stamp replicates regardless of scavenging
Scavenging is there to keep zone data clean
Also enable it on zone level on any one server and eventually it will replicate to all servers
No need to enable on every servers
It seems that you miss understood the ad replication concept
challBOEAuthor Commented:
Mahesh, the time stamp did NOT replicate prior to setting aging/scavenging.
That is my experience in my environment.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DNS

From novice to tech pro — start learning today.