Small Business Susan

About those stale records…

http://msmvps.com/blogs/bradley/archive/2007/12/28/disabling-dns-dynamic-updates.aspx


(and make sure you read Evan’s comment on that post — http://msmvps.com/blogs/bradley/archive/2007/12/28/disabling-dns-dynamic-updates.aspx#1425781


A follow up to this… we were questioning if we needed to set this box in DHCP… but that setting is only needed for 9x era workstations


 


Then we were checking in DNS if we needed to set any of these boxes to clear out the stale entries



http://support.microsoft.com/kb/816592


SBS does secure dynamic updates


By default, dynamic update security for Windows Server 2003 DNS servers and clients is handled in the following manner:

Windows Server 2003-based DNS clients try to use nonsecure dynamic updates first. If the nonsecure update is refused, clients try to use a secure update.

Also, clients use a default update policy that lets them to try to overwrite a previously registered resource record, unless they are specifically blocked by update security.
By default, after a zone becomes Active Directory-integrated, Windows Server 2003-based DNS servers enable only secure dynamic updates.
By default, when you use standard zone storage, the DNS Server service does not enable dynamic updates on its zones. For zones that are either directory-integrated or use standard file-based storage, you can change the zone to enable all dynamic updates. This enables all updates to be accepted by passing the use of secure updates.



So I think the real issue is that as we retire or repurpose old workstations, we’re not removing them in Active Directory like we should.


In server management, when you need to remove an old system, right mouse click and click on Remove Computer from Network.  It’s this action that will remove the system from AD as it should and also from WSUS appropriately.



http://technet2.microsoft.com/windowsserver/en/library/92d228d2-4fe2-40b9-88a7-2a5a2bee85081033.mspx?mfr=true


If you read that you can see that the response on setting the scavenging settings can have it’s issues.


By default, the aging and scavenging mechanism for the DNS Server service is disabled. It should only be enabled when all parameters are fully understood. Otherwise, the server could be accidentally configured to delete records that should not be deleted. If a record is accidentally deleted, not only will users fail to resolve queries for that record, but any user can create the record and take ownership of it, even on zones configured for secure dynamic update.



 


What is probably a better recommended is to periodically right mouse click on DNS, and click on scavenge stale resource records, especially when you are adding a new computer to an existing position (like repurposing a workstation).



For best results, remove the old workstation with the remove computer wizard.


When repurposing a workstation, flip/drop it back to workstation mode and then rerun /connectcomptuer if you plan to use connectcomputer to reattach.



Could you set the DNS to do an automatic scavenge?  Brian Desmond says that our networks, setting that probably won’t cause issues.  But you have to set it in two places, on a per zone basis and on the DNS server.   I think part of our problem is that we’re not removing the computers properly and that’s what’s getting us into trouble.  I know when I was reminded of that ‘remove computer from network wizard’ I went… “uh… what remove computer wizard?”


So bottom line, that setting in DHCP doesn’t do what we think it does.  And we’re better off clicking on that Scavenge Stale Resource Records every now and then.



1 comment so far ↓

  • #   Chris Knight on 12.30.07 at 6:51 am     

    Another way of resolving this is to use DHCP reservations for all DHCP clients.

    It’s also a pity that the Windows DHCP client isn’t “sticky”, in that it doesn’t try obtaining the same IP after a restart, unlike Unix/Linux.