DNS Scavenging troubleshooting

DNS Scavenging is a wonderful answer to clients and dynamic updates clean up problems we experienced during the work day, no needed to talk too much about this feature, it is pretty common and understandable for each IT guy,In this article, I am going to explain to you what scavenging mechanism is, and share with you very interesting problem I have experienced with this mechanism.

I have about seven DC’s – all of them bases Windows Server 2008R2, one of my project lists is to migrate them to Windows Server 2016R2.

So, I initiated demoting process and migrated the main DC from Windows Server 2008R2 to Windows Server 2016 successfully!

After several days, I noticed that many clients got trust relationship issue and users weren’t able to login with their credential to own computers.

I started with my basic troubleshooting and noticed that the computers registered several times on DNS, which mean that scavenging doesn’t work!, probably was my fault, that DC which migrated to Windows 2016 was responsible for scavenging action, the rest DC’s were waiting for his action.

Note:
Before migrating DC’s check if it holds the scavenging responsibility as well, the main problem is that I didn’t realize why they have specified a specific server for scavenging, I was pretty sure that the previous system administrator hasn’t changed the default settings and just allowed it without state particular DC with DNSCMD.

let’s talk a little bit about Aging and scavenging terminologies:

No-refresh interval vs refresh interval:

No-refresh interval: consists of two events, the first one is the data and time when the record was last refreshed and the time stamp was set, the second is the data and time when the record next becomes eligible to be refreshed and indeed the stamp will reset.

refresh interval: consists of two events as well, the earliest date and time when the record becomes eligible to be refresh and set stamp reset, the second one is the date and time when the record next becomes eligible to be refreshed and have its timestamp reset.

Hope you are not tanling up with this description, let me explain it in another and normal way:

As soon as a computer is boot up it updates the DNS servers, which means that if you have 1000 computers – you have 1000’s of updates per a day right? as we can guess, in an environment with 1000 clients you have at least 10-5 domain controller, am I right? it means that the 1000’s of update should be replicated toward our DC’s as well right? conclusion: imagine how much network traffic can be utilized, what is the point to remove a needed record or what is the point to update a DNS again with the same record information each day?so what is the solution? No-refresh interval vs refresh interval using these settings we’re reducing the DNS replication traffic and most important we aren’t deleting needed records.

No-refresh interval – in this time, the timestamp doesn’t update for 7 days (default settings) – IP address and service changes are allowed to be changed. – , because we have a merciful heart we allow records lingering on our DNS server for 7 days. afterward, DNS call the smashing hearts which is refreshing interval – in this time any record can be updated within this interval of time – the second chance post this 14-15 days useless record will be deleted.

let’s get into the action items- How do we should solve it?

First, get full information of DNS:

DNSCMD /Zoneinfo” | or you can use on “Get-DnsServerZoneaging” command as well.

So, I should have deleted the old server using the following command which disables scavenging:

DNSCmd /ZoneResetScavengeServers

Set-DnsServerZoneAging xxxxx -ScavengingServers $NULL

And then enabling the scavenging on the zone which should be scavenged, the default of these settings (Refresh and No-Refresh intervals) are 7 and 7, I reduced the number to 2 & 2 just to get an immediate impact and then restore back the default settings (which is 7 and 7.)

By the way, by default static record are not scavenged, you can allow it.

In order to state a specific server for scavenging process, you have to use on “DNSCMD” – with the following command:

“DNSCmd /ZoneResetScavengeServers contoso.com 10.10.40.2 10.10.40.3”

as much as, although you set the scavenging for 2-2 days which turns out to 5 days because 1 days of set, 2 days of Refresh and No-Refresh intervals it couldn’t work, don’t get worked up, just change the scavenging server to other DC, it already happened to me that I changed the scavenging server to DC01, waited 5 days, it didn’t work, changed it again to DC03 post 5 days it worked.

Record timestamp + No-refresh interval for zone + Refresh interval for zone

Be a patient, don’t rush, don’t get too stressed, scavenging takes time, eventually, it’s worth it.

Even if you don’t know what really happens and all is run properly in your domain, run DNSCMD and be awarded to your environment.