لطفا منتظر باشید ...
Hack 37 Simplify DNS Aging and Scavenging
Understanding the mysteries of how DNS
aging/scavenging works can save you time and effort troubleshooting
DNS name-resolution problems.
Dynamic DNS (DDNS, introduced in Windows 2000) brought with it a
process called DNS scavenging, the automatic
removal of stale DNS information. In a perfect world, DNS scavenging
would not be necessary, but who lives in a perfect world? So, before
you spend time reading the rest of this hack, let's
see if it applies to you.
Have you pinged a machine before by name and gotten a reply, but when
you attempt to connect to it, you connect to a different machine name
or cannot connect at all? If you just shook your head in agreement,
nodded, or mumbled something about this happening to you, then this
hack might shed some light.
Still reading? Good. First, let me establish my bias: all of this
information pertains to Active Directory Integrated Zones. That said,
let's establish some definitions before we continue:
A
This record maps the name of the machine (host) to the IP address.
PTR
This record maps the IP address to the hostname.
Why Scavenge?
There are two parts of DDNS that you need to understand before we
answer the question of when scavenging is necessary: DNS and DHCP.
DHCP process
Wait a second. I thought we were talking about DNS? Before
we go on about DNS, we first have to understand how DDNS works and
why DHCP is important in this process.
Dynamic DNS registration happens at two places: either the DHCP
client or the DHCP server. It all depends on configuration and client
type. For the most part, Windows 2000 clients and above handle their
own hostnameregistrations, while the DHCP server handles the PTR
registration (except in the case of statically assigned IP addresses,
in which case the client will handle both the hostnameand PTR
registrations). In other configurations, the DHCP server can be made
to handle the host and PTR registrations. Other, down-level clients
(NT4, 9x, etc.), do not interact with the DDNS registration process.
However, the DHCP server can be set to handle registration for these
clients as well.
Okay, now we have an idea of how these records are getting in DDNS.
Unfortunately, how the records go in is much more efficient than how
the records come out.
|
DDNS process
There's nothing to stop two records from holding the
same IP address or the same host name. This scenario is problematic
for image-based workstation/laptop deployments. During a portion of
the image process, the client will register as
WIN2KIMAGE in DNS (for example), before having the
machine name changed later in the process. Another image is started
and WIN2KIMAGE is added again with a different IP
address. Sooner or later, you'll end up with 50 PTR
records pointing to the same name, WIN2KIMAGE.
This same process happens under different situations, in which a
machine will establish a different dynamic IP address, but for some
reason, the old reverse-lookup record is not removed. Generally, the
DHCP client and server helps clean up these records. In some
configurations, the DHCP server does it all. However, real-world
experience might tell you that this is not getting done effectively.
When this clean-up process does not occur properly, stale records
reside in DNS.
This is where scavenging comes in. Scavenging deletes stale records
if they're beyond a set age. All records have an
age. However, the age of a record is not considered until scavenging
is turned on. Once scavenging is turned on, DNS does not calculate
how old the record was prior to when scavenging was enabled.
|
How to Use Scavenging
There are three intervals you need to understand before you set up
scavenging: Scavenging Period, No-refresh Interval, and Refresh
Interval. These intervals are described in the DNS GUI. Just
right-click on an Active Directory Integrated zone, select
Properties, choose the General tab, and click the Aging button to see
the screen shown in Figure 4-2.
Figure 4-2. Configuring DNS scavenging options
If you're like me, your brain is twitching from the
complex wording of the definitions. In order to understand this a
little better (without needing the mental capacity to solve a
Rubik's Cube in two minutes), let's
break down what the definitions really mean:
Scavenging Period
This is easy enough to understand. This interval simply tells your
DNS server how often to check the zones for stale records. You can
only get as granular as telling DNS to check every
x number of hours or x
number of days. By the way, this setting applies only to the DNS
server, not the zones.
No-refresh Interval
This a mechanism by which DDNS suppresses reregistration attempts.
This helps keep replication of record information to a minimum. For
example, using the default of seven days, after the DNS client
registers with DDNS, all attempts to reregister for a period of seven
days will be ignored.
Refresh Interval
This definition took awhile for me to grasp. It basically means the
number of days after the No-refresh Interval expires that DDNS will
wait for the client to refresh its record before the record becomes
stale. Again, by default, this setting is also seven days.
Now, we'll put this all together in an example that
makes sense. In this scenario, the DNS client does not reregister
during the Refresh Interval period. Keep in mind, we are using the
default of seven days:
DNS client registers with DDNS.
No-refresh Interval starts (seven days).
DDNS server will not accept reregistration attempts from this client
for seven days.
No-refresh Interval expires.
Refresh Interval starts (seven days).
DNS client has seven days to refresh its records before the record is
considered stale.
Refresh Interval expires.
Scavenging process removes record.
If the client had registered its record again, the No-refresh
Interval would have started all over again. In the previous scenario,
with the default settings of seven days, a record would have to be
greater than 14 days old before DDNS would scavenge it. This might
work if your DHCP lease times are eight days (the default).
Otherwise, you might need to set the intervals closer to your DHCP
lease times. Also, keep in mind the Scavenging Period runs only on
the interval specified, which is also seven days by default.
Scavenging jobs will use processor time.
However, the scavenging process is a low-priority thread of the DNS
service. This ensures that scavenging does not use all the processing
capacity, but it's horrible if your DNS servers are
used heavily. As a low-priority thread on a highly used DNS server,
there's a probability that the scavenging thread
might never run. Also, if the server attempts to run the scavenging
process during a time when the DNS server is highly used, it will
miss the scheduled interval. It will not attempt to start running
over and over but instead will wait until the next scheduled interval
(remember the default of seven days). At the time of this writing, I
haven't found a setting that can be adjusted to
change which hour the scavenging process starts.
For the Advanced Pack Rat
As I mentioned earlier, the Scavenging Period setting applies only to
an individual DNS server. Unlike the other settings, which are
replicated by Active Directory, this setting is specific to the DNS
server in question. With this in mind, not enabling this setting
means that no servers are scavenging records. Aging of records is
taking place (No-refresh, Refresh), but nothing else is going on.
This is good for a variety of reasons. First, you
don't necessarily want all of
your DNS servers to scavenge. You need only one server to scavenge.
It'll replicate the record deletes to the other DNS
servers. This also allows for some other configuration options:
Small environment
Turn Scavenging Period on. This should be ample for you.
Larger environment
Leave the Scavenging Period setting off. In other words, you
don't want DNS servers scavenging records for you.
Instead, use the dnscmd command (found in the
Support Tools folder on your product CD) with
the /StartScavenging option and schedule it on a
recurring basis, at the time frame you're looking
for. It's probably reasonable to suggest that
nighttime hours have little DNS registrations or queries going on.
Enterprise environment
Designate a DNS server to handle all scavenging and nothing else.
This can be established by placing the DNS server in its own site so
that clients do not refer to it for lookups or any Active Directory
functions. If that sounds like too much work, the SRV records for
this DNS server can be stripped from DNS to achieve the same effect.
See Also
DNS Scavenging on Windows 2000 Server (http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/WINDOWS2000/en/server/help/sag_DNS_imp_ManageAgingScavenging)
Enable Aging and Scavenging for DNS (http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/deployguide/dssbm_drd_dvwv.asp)
Scavenging Stale DNS Records (http://www.winnetmag.com/Articles/Index.cfm?ArticleID=19897)
Set Aging/Scavenging Properties for the DNS Server (http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/standard/sag_DNS_pro_SetAgeScavengeServer.asp)
How to Optimize the Location of a Domain Controller or
Global Catalog (http://support.microsoft.com/?id=306602)
Marcus Oh
