How to Restrict DNS Zone Scavenging When Hosting Multiple Zones on Multiple Servers

 

Dougga here – PFE (or “poofy” as one of my customers likes to call us). The DNS scavenging topic never dies – bear with me and I will reveal a not so obvious configuration to control which servers can scavenge a zone.

Let’s go with a simple multi-domain forest named Contoso.com that has 3 child domains and AD integrated DNS configured to replicate as shown in the table below and try to not have more than 1 or 2 scavenging severs per DNS zone.

 

Domain

DNS

Scavenging server

Contoso.com

Domain replicated in contoso

ContosoDC1

_msdcs.contoso.com

Forest replicated

ContosoDC1

Child1.contoso.com

Domain replicated in child1

Child1DC1

Child2.contoso.com

Domain replicated in child2

Child2DC1

Child3.contoso.com

Domain replicated in child 3

Child3DC1

In this example, each child zone has a scavenging server and since the _msdcs.contoso.com zone is replicated forest wide that zone will have a total 4 scavenging servers. This breaks the only 1 or 2 scavenging servers per zone goal. If you have more domains or DNS zones stored in custom DNS zones this only gets worse.

In a complex environment, you may not be able to prevent over-scavenging by just using the GUI. By now you hopefully have read other posts on scavenging covering the basics, and if you haven’t take a few minutes to review it. I am going to cover a setting that is not in the GUI setup that gives us a way to solve the problem.

How to configure the setting

This is a zone setting (so it will be replicated) that is configured using a DNScmd or powershell.

DNSCMD <Server> /ZoneResetScavengeServers <DNS zone> <IP address(es)
Set-DnsServerZoneAging <DNS zone> -ScavengingServers <IP address(es)

The normal configuration of setting up zone aging and choosing a scavenging server still must be done (see the link above). By default any owner of the DNS zone can scavenge if the server is configured to scavenge using the properties of the DNS server in the DNS management console. So, let’s start digging in to how this works.

In this case I am showing you how to prevent the child domain controllers/DNS servers from scavenging _mdscs.contoso.com.

What does the default look like?

To demonstrate what is currently configured use DNSCMD or PowerShell. I will be showing both DNSCMD and the equivalent powershell 4.0 commands.

DNSCMD /zoneinfo _msdcs.contoso.com
Get-DnsServerZoneAging _msdcs.contoso.com

<DNSCMD>

C:dnscmd /zoneinfo _msdcs.contoso.com

Zone query result:

Zone info:
ptr = 000000F9FE14D110
zone name = _msdcs.contoso.com
zone type = 1
shutdown = 0
paused = 0
update = 2
DS integrated = 1
read only zone = 0
in DS loading queue = 0
currently DS loading = 0
data file = (null)
using WINS = 0
using Nbstat = 0
aging = 1
refresh interval = 168
no refresh = 168
scavenge available = 3629660
Zone Masters NULL IP Array.
Zone Secondaries NULL IP Array.
secure secs = 3
directory partition = AD-Forest flags 00000019
zone DN = DC=_msdcs.contoso.com,cn=MicrosoftDNS,DC=ForestDnsZones,DC=contoso,DC=com
Command completed successfully.

<END OF DNSCMD OUTPUT>

<POWERSHELL>

C:> Get-DnsServerZoneaging _msdcs.contoso.com

ZoneName : _msdcs.contoso.com
AgingEnabled : True
AvailForScavengeTime : 1/21/2015 8:00:00 AM
RefreshInterval : 7.00:00:00
NoRefreshInterval : 7.00:00:00
ScavengeServers :

<END OF POWERSHELL OUTPUT>

Making the change – what it looks like if it is restricted

In my example the IP address of ContosoDC1 is 192.168.2.52.

You can restrict which servers are allowed to scavenge by using DNSCMD or powershell.

DNSCMD /ZoneResetScavengeServers _msdcs.cotoso.com 192.168.2.52
Set-DnsServerZoneAging _msdcs.contoso.com -ScavengingServers 192.168.2.52

C:> dnscmd /zoneinfo _msdcs.contoso.com

Zone query result:

Zone info:
ptr = 000000FAC8E2D100
zone name = _msdcs.contoso.com
zone type = 1
shutdown = 0
paused = 0
update = 2
DS integrated = 1
read only zone = 0
in DS loading queue = 0
currently DS loading = 0
data file = (null)
using WINS = 0
using Nbstat = 0
aging = 1
refresh interval = 168
no refresh = 168
scavenge available = 3629660
Zone Masters NULL IP Array.
Zone Secondaries NULL IP Array.
secure secs = 3
directory partition = AD-Forest flags 00000019
zone DN = DC=_msdcs.contoso.com,cn=MicrosoftDNS,DC=ForestDnsZones,DC=contoso,DC=com Scavenge Servers

Ptr = 000000FAC8E2EAF0
MaxCount = 1
AddrCount = 1
Server[0] => af=2, salen=16, [sub=0, flag=00000000] p=
0, addr=192.168.2.52

Command completed successfully

<END OF DNSCMD OUTPUT>

<POWERSHELL>

C:> Get-DnsServerZoneaging _msdcs.contoso.com

ZoneName : _msdcs.contoso.com
AgingEnabled : True
AvailForScavengeTime : 1/21/2015 8:00:00 AM
RefreshInterval : 7.00:00:00
NoRefreshInterval : 7.00:00:00
ScavengeServers : 192.168.2.52

<END OF POWERSHELL OUTPUT>

Resetting to Default – If No IP addresses are defined and any DNS server can scavenge

To reset to the default to allow any server to scavenge, the IP address(es) need to be removed. This can be done with DNSCMD or PowerShell.

DNSCMD /ZoneResetScavengeServers _msdcs.cotoso.com
Set-DnsServerZoneAging _msdcs.contoso.com -ScavengingServers $NULL

What does scavenging look like when this is configured correctly?

When a DNS server attempts to scavenge because you triggered it or because it is scheduled, event ID 2502 is triggered. For scavenging to actually delete stale DNS records these conditions need to be met:

1) Server properties of a DNS server configured to scavenge.

AND

2) Zone configured to age records

AND

3) Records in the zone are stale (greater than no-refresh and refresh combined)

AND

4) Non-GUI Configuration

a. By default all zones are configured to allow all DNS server hosting the zone to scavenge.

OR

b. Only if the IP address configured on the zone matches the IP address of the server performing the scavenging (remember this is not visible in the GUI).

When this should be used

Use this setting to restrict a particular zone from being over-scavenged because it is a forest replicated zone with multiple DNS servers hosting other DNS zones that are not forest replicated.

When this should NOT be used

This should not be used on environments that do not need to minimize the number of scavenging servers. Perfect example is a single domain with a single DNS name space. Another example would be if all DNS zones are replicated in the same context such as forest replicated zones.

Risks

Be careful to understand this configuration because it can get confusing. If an administrator looks only at the GUI configuration, they may get confused why it is not scavenging. This has been the issue in several cases I was involved with helping.

Nothing is visible in the GUI that this is configured so it is very easily missed and likely not known.

If the scavenging is changed to a different server or change the IP address of the scavenging server, scavenging will quietly stop being effective in its job. This will drive you crazy because it will all look fine.

Dougga “You know how to pronounce it” Gabbard