DNS Scavenging help


B

Barkley Bees

I am currently preparing to perform DNS scavenging on one of our Forward DNS
Zones (domain.local) and was hoping to get some words of advice. This is a
fully Windows 2003 domain with 3 DC's hosting DNS.

The goal here is to get rid of the old stale client computer records. A few
questions, if I may:

1. To ensure that A records for all our static servers don't get deleted
during the scavenging I will uncheck "Delete this record when it becomes
stale" for them. After unchecking this should I be changing the TTL from 20
mins to 1 hour for these records or leave them as is?

2. In addition to the server A records, I can see the "Service Location
(SRV)" records (_gc, _kerberos, _ldap, _kpasswd) buried in subfolders within
the forward zone I want to scavenge. These records have the option to be
scavenged/deleted when they become stale. Should they have this option
removed so they cannot be scavenged? I ask, because these SRV records are
all of course associated with our 3 domain controllers.

3. As our DNS is hosted by all 3 of our DC's should I be scavenging on all
of them or just the primary?

4. Since I will only be scavenging one of our forward zones I will set the
scavenging directly on it but do I then also need to enable it on the server
itself (dnsmgmt -> servername -> Advanced -> Enabled automatic scavening of
stale records)?

5. What are the best practice "No-refresh interval" and "Refresh interval"
to use? I am assuming 7 and 7 days should be fine.

6. I assume that scavenging is not something you keep enabled all the time
but rather set every so often to clean up the dns records. What general
practice do you follow for scheduling (once a moth, quarter, etc)?


Appreciate any helplful advice. Thanks very much.
 
Ad

Advertisements

C

cpmf2112

I am currently preparing to perform DNS scavenging on one of our Forward DNS
Zones (domain.local) and was hoping to get some words of advice. This is a
fully Windows 2003 domain with 3 DC's hosting DNS.

The goal here is to get rid of the old stale client computer records. A few
questions, if I may:

1. To ensure that A records for all our static servers don't get deleted
during the scavenging I will uncheck "Delete this record when it becomes
stale" for them. After unchecking this should I be changing the TTL from 20
mins to 1 hour for these records or leave them as is?

2. In addition to the server A records, I can see the "Service Location
(SRV)" records (_gc, _kerberos, _ldap, _kpasswd) buried in subfolders within
the forward zone I want to scavenge. These records have the option to be
scavenged/deleted when they become stale. Should they have this option
removed so they cannot be scavenged? I ask, because these SRV records are
all of course associated with our 3 domain controllers.

3. As our DNS is hosted by all 3 of our DC's should I be scavenging on all
of them or just the primary?

4. Since I will only be scavenging one of our forward zones I will set the
scavenging directly on it but do I then also need to enable it on the server
itself (dnsmgmt -> servername -> Advanced -> Enabled automatic scavening of
stale records)?

5. What are the best practice "No-refresh interval" and "Refresh interval"
to use? I am assuming 7 and 7 days should be fine.

6. I assume that scavenging is not something you keep enabled all the time
but rather set every so often to clean up the dns records. What general
practice do you follow for scheduling (once a moth, quarter, etc)?

Appreciate any helplful advice. Thanks very much.

It sounds as if your DNS configuration is somewhat different than MS
best practices....not that it is all that great either but I might
suggest changing your DNS structure around considerably, depending on
how many servers and workstations you have and their level.

I would suggest run AD integrated zones first of all and not doing ANY
zone transfers. I hate zone transfers and AD does a decent job of
replication and keeping the zones updated. If you have AD integrated
zones, you only need to change settings in one place. Any AD server
will act as a primary DNS if you must do zone transfers.

Make sure you have reverse DNS zones created for your subnets.

Make sure that every client machine and every server have correct DNS/
WINS settings. I cannot stress this enough.
Make sure that every client machine and every server have correct DNS/
WINS settings. What I mean by this is to verify that if you check all
the clients and the servers, their primary NIC has the TCP/IP
properties set to use your AD/DNS/WINS servers in the IP settings
boxes for DNS/WINS. If you have multiple AD/DNS/WINS servers, make
sure all of their IP's are entered here. If all of your client
workstations and servers are in the domain and at least Win98/NT, then
they should be able to register their own names with DNS and their
records will never become stale and should never be scavenged.

You need all the Kerberos SRV records. Don't delete or scavenge ANY of
them unless you know for sure they are wrong, like from an old server
or something. Each DC maintains its records in the windows
\system32\config\netlogon.dns file. Check it and make sure the records
are correct there. Even if you delete them in DNS or in the
netlogon.dns file, Netlogon will recreate the file, and re-register
them in DNS every 90 minutes.

The default scavenging settings are fine and can be left on all the
time once you get the system fine-tuned. You need to turn on
scavenging on the DNS server level AND the zone level. You might want
to scavenge some zones but not others.

Depending on how many DNS records you have, manual scavenging might be
better the first time.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top