DNS is arguably the most important aspect of any network.
Incorrect setup, errors and old records can significantly affect performance and since a lot of third party applications such as antiviruses, remote support use it, as well as all windows server roles and system center products it is fairly important.
If DNS fails, everything else will. Trust me, trust all IT Admins, when it goes down, brown trousers are a guarantee.
Multiple ISPs, I know for one Ja.net, do offer backup name servers and automatic fail-over, so in the event that your DNS does fail, at least you know you have an offsite copy somewhere. Janet DNS Services
Is there something wrong with mine?
Now if you work in a single establishment and have performed multiple migrations of your network, I can guarantee (since you are reading this) you probably looked at your DNS and realise.. wait there are machines in here which haven't existed for years.. why haven't they gone. Scavenging is set.
This also applies for new networks as well which have been going for a couple years or so. It doesn't take long for a network to get quite dirty.
You gotta love GUI...not. This is why we should all be on Core editions people! If you are a Doctor Who fan, you know the Doctor Lies, a GUI lies to.
Yes you have a tick box and yes you've specified the day to scavenge records, but have you also noticed that when you scavenge manually.. they still stay there.. now isn't that just weird.
Is there something wrong with your DNS, well no, because your network is working, but yes because it isn't working as well as it could be.
Lets Tidy Up.
Active Directory Domain Services
First and foremost since you are doing all this cleaning, it might be worth just re-looking at your Active Directory.
At my college, yes I have a accurate asset register, but there is that part of me thinking, is it possible that this random computer is still being used by someone. Why is it in AD if it isnt?
If unsure, disable it and wait for the phone to ring, enabling it takes all of 5 seconds to fix the issue. Cleaning up AD can make your life so much easier as when running through the DNS records you can then say, hand on heart, that machine shouldn't be in there, it doesn't exist anymore.
After a set period of time (48hours to 2 weeks), if you can say well no one has called and all staff full time and part time have been in since then, then you can delete it properly from Active Directory. I genuinely disabled about 40 machines when I first started here. How else am I going to find out? People are quick to report issues when they can't login, plus makes you feel in control, they need to be reminded of this. :)
DNS
Now you can say AD is up to date and accurate, lets start sorting out DNS.
You will need to perform the following actions on every DNS server in your organisation, don't listen to the myths of it replicating, thats Microsoft pretending that everything is perfect. When it comes to settings, just pretend nothing like that works and manually check. Sometimes it does replicate and i'm sure the settings do after X amount of time, but I haven't got time to sit with fingers crossed.
Saying that, there is a moment, where you just need to wait, some things cannot be rushed.. Trust me on this.
Regardless if you use RSAT or login to your server remotely/directly, you need to open DNS (shock)
Add in ALL your DNS Servers, so you can just do it all from one place.
Right click your first server and choose Set Aging/Scavenging for All Zones.
On the Menu, choose the tick box and set a time for your scavenging, best practice is 7 days. For a school I like 5. (I did this on a Monday, so now mine refreshes the weekend).
Press Ok.
Right click the server again and choose properties.
On the Advanced Tab, ensure "Enable automatic Scavenging of Stale Records" is ticked and you specify the identical number of days you specified above.
Press Ok.
Right, open up forward lookup zones, choose your domain, right click Properties.
Choose the aging button on the General Tab.
Set this to the same time as what you have done before.
*this is not best best practice and in a very large enterprise environment, you wouldn't set these times all the same (hence why it isn't set from the top level). In a school single forest, single site, hell even a double site, this is not going to cause any problems. University level, maybe you need to plan this out a bit more, but at that level frankly if your technicians and administrators have a bad DNS then what the hell are you doing.
Press Ok to the Aging and press ok to the properties menu.
If you have a second DNS Server then do all the process again for your second one.
If you have more than 2 DNS Servers however, do the complete opposite. Turn OFF DNS scavenging in every menu specified above. In this case it is best to have one server handling all the scavenging.
Command Line Stuff
Login to your primary DNS Server.
If you have two DNS Servers:
Go to CMD as Administrator
Type in DNSCmd . /ZoneResetScavengeServers [Domain] [DNSServerIP] [SecondDNSServerIP]
e.g. DNSCmd . /ZoneResetScavengeServers contoso.local 192.168.10.10 192.168.10.11
If you have more than two DNS Servers, ensure all servers, except your primary, have scavenging turned off and type in the same command minus the [SecondDNSServerIP]. So.
DNSCmd . /ZoneResetScavengeServers contoso.local 192.168.10.10
What will happen now
New scavenge servers:
Ptr = bunchofnumbers
MaxCount = 2
AddrCount = 2
server[0] => gobbledeegook, addr=192.168.10.10
server[1] => gobbledeegook, addr=192.168.10.11
Reset scavenging servers on zone [domain] successfully.
Command completed successfully.
You will notice that once you have typed in what you need to the list of scavenging servers is now setup successfully. You might have 2 in the list, or just 1 depending on your setup.
The waiting game begins.
Patience
This will take several weeks to finally sort itself out. The reason being is that machines that joined before you set this all up are setup on a different timestamps to what you specified as well as other things as well and other than manually deleting them, just hold fire and wait.
After a few weeks you'll begin to notice that your scavenging is actually working now. No odd devices are appearing in your DNS.
Roles such as WSUS will begin to actually clean itself up when you click clean, things like system center client deployments will work much faster. Antivirus logs become more accurate, server resolution is significantly quicker and the clients will begin to notice some speed improvements, though they won't ever say anything. Login times usually improve as well and you'll probably find that group policies that are set but haven't applied correctly start to apply oh and DFS begins to love you again.
I hope this blog has helped out a lot of people out there, I know my life became so much easier once I got the DNS stuff out the way. My DNS is neat, my AD is neat and there is no sign of old devices from previous migrations. Ready for the future.
Thanks for reading!
Just an FYI, using the above commands it didn't like the 'dot forward slash' after the 'DNSCmd'.
ReplyDeleteThe new command would read:
DNSCmd /ZoneResetScavengeServers [Domain] [DNSServerIP] [SecondDNSServerIP]