question

YogeshBhatia-9708 avatar image
0 Votes"
YogeshBhatia-9708 asked LimitlessTechnology-2700 answered

DNS Scavenging issue

Hello,

We are facing some issue related to DNS scavenging, When scavenging process runs, it deletes the specific 2 servers HOST A resource record from the zone, This things is happening with only 2 servers, apart from this, other servers Host A record is fine. also, it deletes the entry after 4-5 days.

Can anybody help me to suggest the possible cause of this?

DNS scavenging settings:

Non-refresh interval : 1 day

Refresh interval : 1 day

windows-active-directorywindows-dhcp-dns
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

cthivierge avatar image
0 Votes"
cthivierge answered YogeshBhatia-9708 commented

What is the scavenging period on the DNS Server ?
Properties of the DNS Server / Advanced tab

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Scavenging period is 2 days

0 Votes 0 ·
cthivierge avatar image
0 Votes"
cthivierge answered YogeshBhatia-9708 commented

Does the DNS Service or the DC has a planned reboot ?

I think that could be possible...

The non-refresh interval is a period where the resource record cannot be refreshed. This is only to reduce replication traffic between DC's
The refresh interval is the period where the resource record can be updated by the computer.

Let say the scavenging process of the DNS Server is running at 12:00PM each 2 days starting on Sunday (keep in mind that the scavenging is reset when the DNS service restart)

  • Sunday at 12:01PM, ServerA just started and creates his DNS resource record (A record).

  • Sunday at 6:00PM, ServerA is disconnected from network

  • The no-refresh interval ends on Monday 12:00PM

  • Monday at 12:00PM, the resource record (A) has not finished his non-refresh interval because it has not reach his 1 day

  • Tuesday 12:00PM, the resource record (A) has completed the non-refresh interval

  • Wednesday 12:00PM, the resource record (A) has not finished the refresh interval

  • Thursday 12:00PM, the resource record is flagged to be scavenged

  • Saturday 12:00PM, the resource record will be deleted by the scavenging process

So yes... it's possible depending when the record has been created



· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for your explanation.. But DNS server was not rebooted from last 40 days and ServerA is a production server and works 24/7. So also this server not disconnected from the network. Few days ago, the same issue was happened then we rejoin the computer into the domain,but after 6 days the same issue is happened.

0 Votes 0 ·
cthivierge avatar image
0 Votes"
cthivierge answered YogeshBhatia-9708 commented

Are they using static IP or DHCP?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

cthivierge avatar image
0 Votes"
cthivierge answered YogeshBhatia-9708 commented

In the DNS, if you open the A record and click on the security tab, do you see the computer account in the list and normally, it should have full control

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I can't see the computer account in security tab for this record..I have verified with other records and they have also not computer account in the list.

0 Votes 0 ·
cthivierge avatar image
0 Votes"
cthivierge answered YogeshBhatia-9708 commented

Does your DNS Zone is AD integrated ?

Are you able to see the timestamp of the record in the DNS ?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Yes..DNS is integrated with DNS and I can see the timestamp of dynamic records.

0 Votes 0 ·
cthivierge avatar image
0 Votes"
cthivierge answered YogeshBhatia-9708 commented

What account is the owner of the A record of the Server ?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

134539-image.png




These are the current permission of A record

0 Votes 0 ·
image.png (31.4 KiB)
cthivierge avatar image
0 Votes"
cthivierge answered YogeshBhatia-9708 commented

On the DNS zone, what is the configuration for dynamic updates ?
Is it:
- Secure Only
- Nonsecure and secure
- None

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

It is Nonsecure and secure

0 Votes 0 ·
cthivierge avatar image
0 Votes"
cthivierge answered

Any reason why it<s set to nonsecure and secure ?

By default, it's set to secure only.

My guess is for an unknown reason, the computer try to register it's A record into the DNS but it fail and the DNS register the record on behalf of the computer. This would explain why the SYSTEM account is the owner of the record instead of the Server.

But when the computer try to update the record, it can't because the computer account has no rights on the records. The records stay "inactive" until scavening delete it from the zone.

If it's possible to set the DNS zone to Secure only, it will be a good test to see if the server is able to register it's own A record.

You said that the server was a domain join computer right ?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hello @YogeshBhatia-9708,

Something else should be going on, as Scavenging will not delete static records by itself.

First I would recommend > dcdiag /test:registerindns /dnsdomain:yourdomainname.local ,to spot any replication issues that may mark incorrectly this 2 servers.

Otherwise, I would check:
a) their Static IP (ensure they do have static assignment) are not on the same range as DHCP Scope.
b) reasons why a record can be marked as stale: https://docs.microsoft.com/en-US/troubleshoot/windows-server/networking/dns-records-not-present
c) find if you may have a rogue DHCP server on your environment: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc759117(v=ws.10)?redirectedfrom=MSDN
d) check for Events ID 519 and 520 for DNS-Server Source on Dynamic Updates

More details about DNS scavenging on DHCP lease: https://docs.microsoft.com/en-gb/archive/blogs/askpfe/how-dns-scavenging-and-the-dhcp-lease-duration-relate

Hope this helps narrowing down the issue,



--If the the reply is helpful, please Upvote and Accept as answer--

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.