0

I recently started looking into a problem where an IT service desk user reported getting connected to an incorrect workstation while trying to help an internal customer. I started digging around our DNS and WINS servers and found a huge number of entries in our AD integrated internal forward and reverse lookup zones that have timestamps that are months & years old; going back as far as September 2010.

Scavenging is enabled and set to the Microsoft defaults of 7 'No-refresh' and 7 'Refresh' at the server level and also at the zone level.

Our DHCP server is set as follows at the server and scope levels:

  • "Enable DNS dynamic updates according to the settings..." - Enabled
  • "Dynamically update DNS A and PTR records only if requested by the DHCP clients" - Enabled
  • "Discard A and PTR records when lease is deleted" - Enabled

DHCP lease duration is the default of 8 days.

Why isn't scavenging working, even though it appears to be set up? Or am I misunderstanding how scavenging works?

sysadmin1138
  • 131,083
  • 18
  • 173
  • 296
Frank Boyd
  • 73
  • 2
  • 2
  • 5
  • 2
    Good story. Care to add a question to it? And while you're at it, you might want to throw on some Windows-related tags, as that's an important detail. – HopelessN00b Jan 23 '13 at 20:52
  • @HopelessN00b The question being asked is, "Why isn't scavenging working, even though I've set it up?" – sysadmin1138 Jan 23 '13 at 21:36

1 Answers1

3

Sounds like the records may not have the box checked for "delete this record when it becomes stale".

A very detailed process can be followed to identify where the breakdown is occurring:

http://blogs.technet.com/b/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be-patient.aspx.

You also need to confirm the dns server is logging a 2501/2502 event, which occurs when the zone is scavenged.

Greg Askew
  • 34,339
  • 3
  • 52
  • 81
  • Just checked a random sample of about 20 old records. All have the "Delete this record when it becomes stale" option checked. – Frank Boyd Jan 24 '13 at 14:11
  • Is the server logging the 2501/2502 events? – Greg Askew Jan 24 '13 at 14:16
  • Just checked a random sample of about 20 old records. All have the "Update associated pointer (PTR) record" and the "Delete this record when it becomes stale" options checked. All the records also have TTLs of 20 minutes. A review of the DNS, System and Application event logs does not show any 2501/2502 events. I'll dig through the article you linked. Thanks – Frank Boyd Jan 24 '13 at 14:22
  • 1
    OK, great article link. I hope I'm on the way to a happier DNS world. I thought I had enabled all the required scavenging settings, but I had missed the option on the 'Advanced' tab of the server properties. Now that that is enabled, I'll need to wait until next week to see if anything changes. Thanks for your help Greg. – Frank Boyd Jan 24 '13 at 14:51
  • Well, after checking all four DCs and verifying all the required settings listed in the article were in place, I forced a scavenge on each DC. The event log entry on the first DC says only four records were removed and the other three say zero removed. Guess I'll chill until next week to see if anything changes. Was hoping all entries with timestamps from last December or earlier would have disappeared. – Frank Boyd Jan 24 '13 at 21:41