Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » DNS Scavenging
DNS Scavenging [message #156073] Wed, 10 June 2009 01:02 Go to next message
Kerry  is currently offline Kerry  United States
Messages: 48
Registered: July 2009
Member
We are planning to turn on DNS Scavenging (default values 7 days) and are currently doing a risk assessment. Would like to know if there is any way that we can know what all records will be deleted when scavenged is enabled?

Also any assistance on what areas should be taken care before enabling the scavenging that may break our production environment? Like for Static records (cname records created for web links etc) should be configured to Not to delete the DNS record when it becomes stale etc..
--
Re: DNS Scavenging [message #156077 is a reply to message #156073] Wed, 10 June 2009 03:13 Go to previous messageGo to next message
KnutM  is currently offline KnutM  United States
Messages: 1
Registered: June 2009
Junior Member
Hi Kerry,
take a look at this article:
http://blogs.technet.com/networking/archive/2008/03/19/don-t -be-afraid-of-dns-scavenging-just-be-patient.aspx


Knut

Kerry wrote:
>We are planning to turn on DNS Scavenging (default values 7 days) and are currently doing a risk assessment. Would like to know if there is any way that we can know what all records will be deleted when scavenged is enabled?
>
>Also any assistance on what areas should be taken care before enabling the scavenging that may break our production environment? Like for Static records (cname records created for web links etc) should be configured to Not to delete the DNS record when it becomes stale etc..
Re: DNS Scavenging [message #156094 is a reply to message #156073] Wed, 10 June 2009 08:47 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Kerry" <Phanindra@live.com> wrote in message
news:OLu8uiY6JHA.1432@TK2MSFTNGP02.phx.gbl...
We are planning to turn on DNS Scavenging (default values 7 days) and are
currently doing a risk assessment. Would like to know if there is any way
that we can know what all records will be deleted when scavenged is enabled?

Also any assistance on what areas should be taken care before enabling the
scavenging that may break our production environment? Like for Static
records (cname records created for web links etc) should be configured to
Not to delete the DNS record when it becomes stale etc..


===========

In addition to KnutM's post, which is a link to a great article on the
subject that he posted, here is additional information on scavenging and
other related factors:

----
DHCP, Dynamic DNS Updates , Scavenging, static entries & timestamps, and the
DnsProxyUpdate Group:
--------------------------------------------
The entity that registers it owns the record. The nice thing about DHCP
owning the record is it will update it if DHCP gives the machine a new IP.
Otherwise you'll see multiples of the same in DNS whether scavenging is
enabled or not. I would force DHCP to own the record as well as enable
scavenging to keep it clean. To force DHCP to own the record, you will need
to do the following:

1. Add the DHCP server to the DnsUpdateProxy Group.
2. Force DHCP to register all records, Forward and PTR, (whether a client
machine can do it or not) in the Option 081 tab (DHCP properties, DNS tab).
3. Set Option 015 to the AD domain name (such as example.com).
4. Set Option 006 to only the internal DNS servers.
5. If the zone is set for Secure Updates Only, then DHCP cannot update
non-Microsoft clients and Microsoft clients that are not joined to the
domain. In this case, you will need to create and configure a user account
for use as credentials for DHCP to register such clients.
If your DHCP servers are Windows 2003 or WIndows 2008, Configure a
dedicated the user account you created as credentials in DHCP by going into
DHCP COnsole, DHCP server properties, and on the Advanced tab of the DHCP
Server
Properties sheet click the Credentials button, and provide this account
info.
The user account does not need any elevated rights, a normal user account
is fine, however I recommend using a Strong non-expiring password on the
account.

Once you implement scavenging, you will need to wait at least a week for it
to
take effect. You can quicken it up by manually deleting the incorrect
records to
get started.

But more importantly, if DHCP is on a DC, it will not overwrite the
original host record for a machine getting a new lease with an IP
formerly belonging to another. To overcome this, add the DHCP server
(the DC) to the DnsProxyUpdate group. This will force DHCP to own
all records it will create moving forward and will update an IP with
a new name in DNS.

With regards to the DnsProxyUpdate Group, this is one method, but normally,
for
the most part, it is not advised to use it as it weakens security INCLUDING
the
DC records if DHCP is on a DC. Preferably configure DHCP with an account.
This can be done in w2k and w2k3 and up.
For w2k you need to use NETSH
For w2k3 and up can use NETSH or the GUI


If you set this, but when a record shows up in the DHCP Lease list with a
pen
(which means that a write is pending), it m ay mean it is trying to register
into a zone that does not exist on the DNS servers. This happens in cases
where
the client machine is not joined to the domain and has a missing or
different
suffix than the zone in DNS. It can only register into a zone that exists on
DNS and that zone updates have been configured to allow updates.
If this is the case, go into the client machine's IP properties, and
on the DNS tab in TCP/IP properties, clear the "Register this connection's
addresses in DNS" as well as the "Use this connection's DNS suffix in DNS
registration"
check boxes, the DHCP Server will fill these in for you and register using
the domain name in Option 015.

Concerning records and timestamps, and lack of timestamps:

If the record was manually created, it won't show a time stamp, however, if
the record was dynamically registered, it will show a time stamp. My guess
is the records you are referring to were manually created. If you manually
create a record, the checkbox will not be checked to scavenge, however if it
was dynamically registered, it will be checked. I just tested this
withWindows 2003 DNS. When I had built a few servers for a customer and let
them auto register, they had a timestamp and the scavenge checkbox was
checked. For the records I manually created, such as internal www records,
and others, they did not have a time stamp and were not checked to scavenge.

Even if you allow auto registration, which I do by default, and it gets
scavenged, it gets re-registered anyway by the OS. Unless you are seeing
something going on that is affecting your environment, the default settings
work fine, at least they do for me for all of my customers and installations
I've worked in that I've set scavenging and forced DHCP to own the records
so it can update the records it had registered at lease refresh time.


The following links provide additional information on how it all works.

How to configure DNS dynamic updates in Windows Server 2003.
http://support.microsoft.com/kb/816592

Using DNS Aging and ScavengingAging and scavenging of stale resource records
are features of Domain Name System (DNS) that are available when you deploy
your server with primary zones.
http://technet.microsoft.com/en-us/library/cc757041.aspx

Microsoft Enterprise Networking Team : Don't be afraid of DNS ...Mar 19,
2008 ... DNS Scavenging is a great answer to a problem that has been nagging
everyone since RFC 2136 came out way back in 1997.
http://blogs.technet.com/networking/archive/2008/03/19/don-t -be-afraid-of-dns-scavenging-just-be-patient.aspx

DHCP, DNS and the DNSUpdateProxy-Group - Directory Services/Active ...I had
a discussion in the Newsgroups lately about DHCP and the
DNSUpdateProxy-Group which is used to write unsecured DNS-Entries to a
DNS-Zone which only ...
http://msmvps.com/ulfbsimonweidner/archive/2004/11/15/19325. aspx

And from Kevin Goodnecht:
Setting up DHCP for DNS registrations
http://support.wftx.us/setting_up_dhcp_for_dns_registra.htm

317590 - HOW TO Configure DNS Dynamic Update in Windows 2000 and
DNSUpdateProxy Group:
http://support.microsoft.com/?id=317590

816592 - How to configure DNS dynamic updates in Windows Server 2003:
http://support.microsoft.com/kb/816592/

Follow up discussion on the DNSUpdateProxy-Group:
http://msmvps.com/ulfbsimonweidner/archive/2005/03/26/39841. aspx
============================================================ ==========================================

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
aceman@mvps.RemoveThisPart.org

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

"Efficiency is doing things right; effectiveness is doing the right
things." - Peter F. Drucker
http://twitter.com/acefekay
Re: DNS Scavenging [message #156098 is a reply to message #156073] Wed, 10 June 2009 10:07 Go to previous message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello Kerry,

Additional to what the other pointed out, do not go under 24 hours, becasue
machines with fixed ip addresses will re-register once a day, so if you go
under 24 hours it can happen that some of them are kicked out.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> We are planning to turn on DNS Scavenging (default values 7 days) and
> are currently doing a risk assessment. Would like to know if there is
> any way that we can know what all records will be deleted when
> scavenged is enabled?
>
> Also any assistance on what areas should be taken care before enabling
> the scavenging that may break our production environment? Like for
> Static records (cname records created for web links etc) should be
> configured to Not to delete the DNS record when it becomes stale etc..
>
Previous Topic:Windows File Server Resource manager - notifications
Next Topic:Mixed forest Authentication issue - Active Directory netbios name
Goto Forum:
  


Current Time: Fri Oct 20 03:09:25 EDT 2017

Total time taken to generate the page: 0.06565 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software