I am not talking about identity and access management today, but I want to share with you a strange issue that I have encountered this week.
A Windows Server 2003 DNS Server host a non AD-integrated primary DNS zone. An other Windows Server 2008 R2 host a copy of this zone (secondary zone).
We note that there are some very old records in this zone, that should be deleted by the auto scavenging process (that is actually in place).
Every day, there are a 2502 events in the DNS event log, but no 2501.
Windows Operating System
The DNS server has completed a scavenging cycle but no nodes were visited. Possible causes of this condition include:
1) No zones are configured for scavenging by this server.
2) A scavenging cycle was performed within the last %1 minutes.
3) An error occurred during scavenging.
The next scavenging cycle is scheduled to run in %2 hours.
The event data will contain the error code if there was an error during the scavenging cycle.
The 2502 event prove that the scavenging process is running, but why aren’t the old records deleted ?
First I want to be sure that the auto scavenging process is running and is well configured.
We have two DNS servers, but only one host a read/write copy of the zone (the primary zone). This server is configured to scavenge the stale records every day (at 7am)
The no-refresh interval is set to 3 days, and the refresh interval is set to 4 days. The sum is equal to 7 days, that is the maximum DHCP lease minus 1 day. Great.
First, I have to go deep in the aging and scavenging process. Have a look at these articles :
What we have to note, is :
- A record can be deleted when the timestamp is older than the no-refresh + refresh interval
- When records are deleted, a 2501 event appears in the event log
- When no records are deleted, a 2502 event appears in the event log.
When scavenging can start ? (Understanding aging and scavenging)
- Dynamic updates are enabled for the zone : OK
- A change in the state of the Scavenge stale resource records check box is applied. You can use DNS Manager to modify this setting at either an applicable DNS server or one of its primary zones : OK, all records are ready to be scavenge
- The DNS server loads a primary zone that is enabled to use scavenging : OK
This can occur when the server computer is started or when the DNS Server service is started.
- When a zone resumes service after having been paused : Never paused
- If the zone is AD DS-integrated, replication for the zone must have taken place at least once since the DNS service was restarted or the domain controller was rebooted. When the previous events occur, the DNS server sets the value of start scavenging time by calculating the following sum:
Current server time + Refresh interval = Start scavenging time
This value is used as a basis of comparison during scavenging operations. : Zones are not AD-Integrated
Finally, I find this KB : http://support.microsoft.com/kb/830689. This KB explain :
After you restart the DNS service on your Microsoft Windows Server 2003-based computer, you may not be able to scavenge old Domain Name System (DNS) records. DNS zones are protected from being scavenged for the period of time that is specified on the zone refresh interval when the DNS service is restarted.
I note that in the DNS Event Log, DNS service is restarted every morning (5am). That’s it ! A scheduled task start every day to backup the DNS zone files. Therefore, the zone is always protected, and the scavenging process can never delete stale records.
A look at the zone info with dnscmd show this anomaly :
c:\ODX>dnscmd /zoneinfo mazone.local
Zone query result:
ptr = 0000000000307980
zone name = mazone.local
zone type = 1
shutdown = 0
paused = 0
update = 1
DS integrated = 0
read only zone = 0
data file = mazone.local.dns
using WINS = 0
using Nbstat = 0
aging = 1
refresh interval = 96
no refresh = 72
scavenge available = date with timeformat : last restart date + refresh interval.
Zone Masters NULL IP Array.
Ptr = 00000000002FD150
MaxCount = 1
AddrCount = 1
Secondary => af=2, salen=16, [sub=0, flag=00000000] p=13568,
secure secs = 2
Command completed successfully.
It is not necessary to stop the DNS service to backup the DNS zone files. When the zones are not AD-integrated, a simple export of the zone with dnscmd can be used :
dnscmd myserver /zoneExport mazone.local backup\mazone.local.dns.bak
By the way, zones are not protected from being scavenged.
Published by Olivier DETILLEUX