none
Best Practices configuration for DNS server on Windows 2008 R2 Server (aging/scavenging, etc.) RRS feed

  • Question

  • We have a small (<50 users) network, all running Windows 7 SP1 clients on a native AD 2008 R2 domain.

    What are some best practice settings for configuring DNS aging/scavenging on a Windows 2008 R2 DNS server?   Is 2 days too short?

    What are the cons for setting up DNS scavenging?

    Thursday, May 3, 2012 1:11 AM

Answers

All replies

  • It's recommended to be at least one day (25 hours is more than one day!), or some issues may occur with some apps and services, such as KMS with it's 24 hour refresh cycle. I personally keep it to the 7 day default, which works nicely with the 8 day DHCP Lease. Whatever you set it to, ideally it should be equal to or greater than the DHCP lease.

    .

    /Begin Late Edit

    Late Edit & Note (posted 10/14/2012): The NoRefresh and Refresh combined should be equal to or less than the DHCP lease. For example, with an 8 day DHCP lease, set the NoRefresh to 4, and the Refresh to 4. More info:

    Good article by Sean Ivey, MSFT:
    How DNS Scavenging and the DHCP Lease Duration Relate
    (Make the No-reresh and Refresh each half the lease, so combined, they are equal or greater than the lease).
    http://blogs.technet.com/b/askpfe/archive/2011/06/03/how-dns-scavenging-and-the-dhcp-lease-duration-relate.aspx

    /End Late Edit

    .

    .

    "When a DNS record is created by a new client, the NoRefresh interval is in effect. When the client dynamically updates its DNS information in this situation, the client's DNS time stamp is not updated until the Refresh interval takes effect. This behavior prevents the replication of lots of DNS objects in the Active Directory directory service.
    During the Refresh interval, the client's DNS time stamp is updated. During the Scavenging interval, old DNS resource records are automatically deleted."
    Above is quoted from below:
    How DNS dynamic updates work together with the DNS "aging and scavenging" process in Windows 2000 and in Windows Server 2003
    http://support.microsoft.com/kb/932464

    .

    More info below with tech info and the bottom one to a thread with a good discussion, and especially the first link regarding how to make it all work together including configuring DHCP credentials(you must set credentials AND add the DHCP servers to the DnsUpdateProxy group), scavenge settings, aging, what happens with static records when you age all records, etc.

    DHCP Service Configuration, Dynamic DNS Updates, Scavenging, Static Entries, Timestamps, DnsUpdateProxy Group, DHCP Credentials, prevent duplicate DNS records, DHCP has a "pen" icon, and more...
    Published by Ace Fekay, MCT, MVP DS on Aug 20, 2009 at 10:36 AM  3758  2 
    http://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx  

    Good article explaining how AD handles scavenging with records in an AD integrated zone, as well as what happens if say a machine who's record is marked as dnsTombstoned, but the machine is reinstalled, which now has a new SID, and how it can't update the original record -  the original host record is not removed immediately:
    DNS Scavenging internals (or what is the dnsTombstoned attribute) for AD Integrated zones, by Guy Teverovsky, 23 Sep 2010
    http://blogs.technet.com/b/isrpfeplat/archive/2010/09/23/dns-scavenging-internals-or-what-is-the-dnstombstoned-attribute-for-ad-integrated-zones-dstombstoneinterval-dnstombstoned.aspx

    Don't be afraid of DNS Scavenging. Just be patient.
    http://blogs.technet.com/b/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be-patient.aspx

    Good discussion on scavenging and the requirements of having patience:
    Technet thread: "DNS timestamp replication (again), and Scavenge vs Enable Automatic scavenging" 3/10/2012
    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/431c3597-e2d1-4061-96ed-4672532dc126/ 

    .


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBookTwitterLinkedIn



    Thursday, May 3, 2012 3:26 AM
  • FYI, I only read to /End Late Edit but even there, you contradict yourself. You say "The NoRefresh and Refresh combined should be equal to or less than the DHCP lease." and then you immediate cite as good a source which says "(Make the No-reresh and Refresh each half the lease, so combined, they are equal or greater than the lease)." Greater would seem to make sense so as to ensure that a record is not removed from DNS when it's still possible that a DHCP client might refresh the DHCP lease (and thus still exist).
    Friday, May 9, 2014 6:12 AM
  • Quoted by notRoman:

    > "FYI, I only read to /End Late Edit but even there, you contradict yourself. You say "The NoRefresh and Refresh combined should be equal to or less than the DHCP lease." and then you immediate cite as good a source which says "(Make the No-reresh and Refresh each half the lease, so combined, they are equal or greater than the lease)." Greater would seem to make sense so as to ensure that a record is not removed from DNS when it's still possible that a DHCP client might refresh the DHCP lease (and thus still exist)."


    Thank you for catching that. It was a typo on my part. Corrected.

    Ace Fekay
    MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBookTwitterLinkedIn



    Saturday, May 10, 2014 2:25 PM