Mailbag: How Often Does the DNS Server Service Check AD for New or Modified Data?

___________________________________________________________________________________________________________________________

IMPORTANT ANNOUNCEMENT FOR OUR READERS!

AskPFEPlat is in the process of a transformation to the new Core Infrastructure and Security TechCommunity, and will be moving by the end of March 2019 to our new home at https://aka.ms/CISTechComm (hosted at https://techcommunity.microsoft.com). Please bear with us while we are still under construction!

We will continue bringing you the same great content, from the same great contributors, on our new platform. Until then, you can access our new content on either https://aka.ms/askpfeplat as you do today, or at our new site https://aka.ms/CISTechComm. Please feel free to update your bookmarks accordingly!

Why are we doing this? Simple really; we are looking to expand our team internally in order to provide you even more great content, as well as take on a more proactive role in the future with our readers (more to come on that later)! Since our team encompasses many more roles than Premier Field Engineers these days, we felt it was also time we reflected that initial expansion.

If you have never visited the TechCommunity site, it can be found at https://techcommunity.microsoft.com. On the TechCommunity site, you will find numerous technical communities across many topics, which include discussion areas, along with blog content.

NOTE: In addition to the AskPFEPlat-to-Core Infrastructure and Security transformation, Premier Field Engineers from all technology areas will be working together to expand the TechCommunity site even further, joining together in the technology agnostic Premier Field Engineering TechCommunity (along with Core Infrastructure and Security), which can be found at https://aka.ms/PFETechComm!

As always, thank you for continuing to read the Core Infrastructure and Security (AskPFEPlat) blog, and we look forward to providing you more great content well into the future!

__________________________________________________________________________________________________________________________

Here’s an interesting question that came to us from one of the readers. If you have a question for us, don’t forget that you can contact us using the Contact tile just to the right of this article when viewed from our TechNet blog.

Question:

With an AD-Integrated zone, when a record is added or updated in DNS on one server, how much time is needed for the DNS server service to find this record and load it (assuming that the other DC/DNS server is in the same site and DS replication is working fine)?

This is a great question that often confounds us and we see some people hitting the “Refresh” button every so often and others choosing to close/reopen the DNS MMC, while many others resort to restarting the DNS Server service. What is the correct method?

So here’s a little flow-chart that shows the “workflow” as a new DNS record is updated on a DNS server in an AD-Integrated zone:

image

 

So if all DNS servers are in the same site and AD replication is working fine, the short answer to this question is 180 seconds or 3 minutes since that’s how often DNS server service polls Active Directory for changes in Active Directory integrated zones.

And your next question maybe: How do I control this behavior? What if I want to reduce it to 2 minutes?

This setting is stored in the registry as “DsPollingInterval”under the subkey: HKLM\System\CCS\Services\DNS\Parameters.

Before you open regedit, let me show you an easier way to query (or change) this setting – by using dnscmd in an Administrator cmd prompt window:

dnscmd /info /dspollinginterval  – should show you the current setting, and

dnscmd /config /dspollinginterval 120 – would change it to 120 seconds.

Although the range of this setting is 0-3600, if the DNS server is running Windows Server 2008 or above, setting a value of 0 for dspollinginterval will result in the default interval of 180 seconds being configured, and values of 1-29 are not allowed as mentioned in this TechNet article.

While we are talking about dnscmd, I should mention that if you use dnscmd on a Windows Server 2012, you may see this message:

In future versions of Windows, Microsoft might remove dnscmd.exe.

If you currently use dnscmd.exe to configure and manage DNS Server,

Microsoft recommends that you transition to Windows PowerShell.

So you should start using PowerShell for these tasks.  Here’s the equivalent command in PowerShell 3.0:

Get-DnsServerDsSetting

The first setting returned is “PollingInterval(s)”.  To change it to say 120 seconds:

set-DnsServerDsSetting -PollingInterval 120

And one last thing: this is a per server setting.

So if you are thinking – this is great information but I have a LARGE number of DNS servers, how about some automation to make it easy to change this setting on all of them. No problem. There are many ways to automate this change, let’s look at two of them. First one is our good ol’ FOR command. Something like this at an Administrator cmd prompt:

for /F %A in (dnsservers.txt) do dnscmd %A /config /dspollinginterval 120

Where dnsservers.txt contains the list of DNS servers.

And for our second example, I have TWO different ways to do this in PowerShell:

First method: Using the dnsservers.txt file that has a list of all DNS servers that need to be modified:

Get-content .\dnsservers.txt |foreach {set-DnsServerDsSetting -PollingInterval 120}

Second Method: If all your domain controllers are DNS servers, this one will modify setting on all of them:

Get-DnsServerDsSetting -ComputerName (Get-ADDomainController | % {$_.Name})|Set-DnsServerDsSetting -PollingInterval 120

Until next time!

Rakesh Chanana