3

About 9 months ago I became sys admin over Active Directory for a company. Today someone submitted a ticket pointing out that our DNS had a stale entry for an authoritative server. My investigation found that in 2012 a branch office had been closed and the domain controller in that office had been decommissioned without running dcpromo and removing the DNS role. I also found about a dozen and a half other static DNS entries from the same subnet that office ran on, which subnet is no longer used by the company.

This isn't the first time I've encountered static DNS entries that are years out of date. Most of these belong to our engineering unit, who will stand up a server in their lab, request us to add it to DNS, then kill the server and never tell IT about it. The majority of these are lab servers that are never joined to our AD domain, so I can't check DNS against computer accounts in AD.

How can I isolate and remove all of these stale static entries?

We're running Active Directory at a 2008r2 functional level. All of our DCs are 2008r2.

Daniel
  • 6,780
  • 5
  • 31
  • 60
Thomas
  • 868
  • 4
  • 17
  • 35

1 Answers1

3

In order for scavenging to work, each record must have a timestamp. The dnscmd.exe /ageallrecords command establishes that timestamp. For actual live systems this merely means that the timestamp will be updated upon running the command and then at the next refresh interval (7 days or at startup). For all stale records this means that a valid timestamp is established, which then allows those stale records to be scavenged at the next scavenge interval.

So, assuming that you're going to enable scavenging on the DNS servers and the DNS zones, you can use dnscmd.exe /ageallrecords to set the current timestamp on all records. For all Windows systems that actually still exist they'll update their record every 7 days or at startup and therefore shouldn't be scavenged at the next scavenging interval. For all stale records for hosts that no longer exist, they should be scavenged at the next scavenging interval.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
  • http://blogs.technet.com/b/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be-patient.aspx "DNScmd.exe with the /ageallrecords switch... If you actually run this command against a zone it will truly set scavenging and a timestamp on all records in the zone *including static records that you never want to be scavenged*. Because of the time it takes scavenging to do it's thing people find this command and get tempted to give it a try. Do not. It will delete stuff. Have patience instead." – Thomas Apr 02 '15 at 15:12
  • Even if all of our Windows servers with static IPs will dynamically update DNS, many of the engineering systems are *nix, which may not. I know SUSE is commonly used and it does not natively support DDNS updates. I can't risk deleting static records that are still in use. – Thomas Apr 02 '15 at 15:16
  • The passage you highlighted is the caveat. You either scavenge stale records or you don't. Unfortunately you can't have your cake and eat it too. – joeqwerty Apr 02 '15 at 16:05
  • We already have scavenging enabled at an interval of 21 days. This works great for stale dynamic records. There has to be a way to clean up static records without aging all of them indiscriminately. – Thomas Apr 02 '15 at 16:31