On a regular basis, top Microsoft executives answer readers' toughest technical questions about Windows-based systems. This installment of "Ask Microsoft" was answered by Brian Puhl, Microsoft IT Senior System Engineer.
To submit a technical question for consideration, send an email to
Question: We currently have Active Directory with a mix of Windows 2000 Server and Windows Server 2003; along with support for quite a few legacy NT 4.0 servers. We're using Microsoft DDNS. The problem with Dynamic DNS in our environment is it was not set up properly in the beginning and now it's a mess. I have looked into turning on Scavenging to clean it up, but I fear that could make a bigger mess.
Clients are all set for DHCP and usually DNS updates are automatic. The issue is with the servers. We have about 200 servers, and they all have static IP addresses, but not all servers are set to automatic DNS updates. With Scavenging I couldn't see any way to exclude particular devices -- it's just on or off.
How can I get my DNS environment cleaned up and healthy, in a safe way? Is there a safe way to implement Scavenging, and if so what are the "best practices"? And, finally, what is the best way (going forward) to set up the environment to keep DNS healthy for both clients and servers?
Answer: It's good to hear that you're concerned with the health of your DNS infrastructure. Tight integration between DNS and Active Directory make a healthy DNS environment critical. Enabling scavenging is a great way to start cleaning up, and since you indicated that all of your clients are DHCP your job is much easier. In fact, even the 200 servers with static IP addresses still register DNS records by default, so your first concern is to identify the servers which are not registering records themselves, and create static records for them.
To create a list of servers that need static records, you can run a WMI script to check the settings on each server. Try using Scriptomatic (freely available at http://www.microsoft.com/technet/scriptcenter/tools/wmimatic.mspx), you can check out the Win32_NetworkAdapterConfiguration class (DomaninDNSRegistrationEnabled) and Scriptomatic will create the script for you. The one downside to using static records is that scavenging will never touch them, so as your servers change over time, you'll need to manually manage these few records.
With all of your clients and servers either dynamically registering themselves, or statically mapped to records in DNS, you can enable scavenging. There are a few key settings which you'll want to understand:
Scavenging Period – (Server properties/Advanced tab) - This is the interval at which the scavenging job on the server will run. This time is since the last DNS Server Service restart.
No-refresh interval – (Zone Properties/Aging button) - Although clients and servers will attempt to refresh their DNS records every 24 hours, the DNS server will only allow records to be refreshed when they are older than this value.
Refresh interval – (Zone Properties/Aging button) – This is the amount of time, after the No-refresh interval, when a client can refresh its DNS record before it's scavenged.
The best settings depend on your environment. You don't want the scavenging period to be too short, because the scavenging task increases CPU utilization on the server. Seven to 14 days is a good value for this, and the default is seven days, so you'll likely just leave this alone. The no-refresh interval is seven days by default, but is really related to how often you want your clients to update their DNS records. If replication traffic is a concern, you can increase this value, 14 or even 28 days, otherwise the 7 day default is satisfactory for most environments. The refresh interval can generally be considered as "slightly longer than the typical user laptop is off the network." A good rule of thumb is to ask yourself, "How long do people go on vacation?" The default, seven days (five day vacation plus a couple of days?). We must take long vacations at Microsoft, because internally our refresh interval is 17 days.
Putting these three settings together will give you the answer to the important question: "What's the longest time that a stale DNS record will be on my servers?"
Assuming scavenging, no-refresh, and refresh are all set to seven days, then the answer is 21 days. The client will register its record initially, which starts the no-refresh interval. Seven days later, the refresh interval begins, but since the client is no longer on the network the refresh never occurs. When the refresh interval ends (day 14), the next scavenging task that runs will remove this record which in the worst case can be another seven days.
There is one last detail which you should be aware. Because you don't have scavenging enabled now, if you are not using Active Directory integrated DNS zones, when you enable scavenging the server will not scavenge records that existed before you enabled scavenging. To make sure these records get scavenged, you will need to "age" them once using the DNSMCD.EXE tool. Yet another great reason to AD integrate your DNS zones!
Here is a link to the DNS aging and scavenging documentation from Microsoft.com: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/20fbbd82-0cea-4a74-9634-fdd993f4c4f4.mspx.
I hope this helps you get scavenging enabled and configured for your environment.
-- Brian Puhl, Microsoft IT Senior System Engineer