DNS Scavenging not working properly

I have used Scavenging in several environments before. I know about the
common gotchas (Needs to be set on server AND zone, takes longer than you
think) but I am still coming up short. Worse part, there are three of us
scratching our heads over this.

The zones are all AD-Integrated. The times are all set for 1 hour. We have
isolated one DC in our lab (two actually, one parent.net one
child.parent.net) and grabbed all the FSMO roles just in case the problem is
somehow related to the AD part.

DNS is logging Event 2502 every hour. Each zone is way past the "safety
valve" time. I cannot get a 2501 to show on any zone. This has been tried on
the three zones in the child domain and two zones in the parent. No records
are being scavenged.

Where should I be looking?
--
Pete Jones

"Pete Jones" <> wrote in message news:629BA8D2-DF24-4F68-9704-...
>I have used Scavenging in several environments before. I know about the
> common gotchas (Needs to be set on server AND zone, takes longer than you
> think) but I am still coming up short. Worse part, there are three of us
> scratching our heads over this.
>
> The zones are all AD-Integrated. The times are all set for 1 hour. We have
> isolated one DC in our lab (two actually, one parent.net one
> child.parent.net) and grabbed all the FSMO roles just in case the problem is
> somehow related to the AD part.
>
> DNS is logging Event 2502 every hour. Each zone is way past the "safety
> valve" time. I cannot get a 2501 to show on any zone. This has been tried on
> the three zones in the child domain and two zones in the parent. No records
> are being scavenged.
>
> Where should I be looking?
> --
> Pete Jones
>


That depends on how soon you are were clicking on Scavenge Now. Check this link out:
http://eventid.net/display.asp?event...ce=DNS&phase=1


Also, there's more to it, too, especially if using DHCP and possibly seeing dupe workstation/laptop records. I have a blog on scavenging that explains this and more. I hope you find it helpful.

DHCP, Dynamic DNS Updates, Scavenging, static entries & timestamps, and the DnsProxyUpdate Group (How to remove duplicate DNS host records)
http://msmvps.com/blogs/acefekay/arc...te-group..aspx

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.

The time is not an issue. This is squirly behaviour.

On Friday before I left, I created 4 new zones. 2 on the parent.net and 2 on
the child.parent.net All zones were Aging and Scavenging set, 1 hour times.
The servers were set to scavenging on, 1 hour time.

pritest.local
aditest.local

pritest.child.local
aditest.child.local

Each had two A records added. The records were called "scav" and "noscav".
Scav had the timestamp set to 26/3 11:00 for all four zones.

This morning 10:32am 29/3, I checked both servers. Only one zone is missing
the Scav record. Pritest.local scavenged the record, 26/3 at 15:51. Two
previous 2501 events did not remove the record.

The two parent zones are now showing the "The zone can be scavenged after"
times as 29/3 11:00. The two child zones show 26/3 12:00 (aditest.child.net)
and 1/1/1601 00:00 (pritest.child.net)
--
Pete Jones



"Ace Fekay [MVP-DS, MCT]" wrote:

> "Pete Jones" <> wrote in message news:629BA8D2-DF24-4F68-9704-...
> >I have used Scavenging in several environments before. I know about the
> > common gotchas (Needs to be set on server AND zone, takes longer than you
> > think) but I am still coming up short. Worse part, there are three of us
> > scratching our heads over this.
> >
> > The zones are all AD-Integrated. The times are all set for 1 hour. We have
> > isolated one DC in our lab (two actually, one parent.net one
> > child.parent.net) and grabbed all the FSMO roles just in case the problem is
> > somehow related to the AD part.
> >
> > DNS is logging Event 2502 every hour. Each zone is way past the "safety
> > valve" time. I cannot get a 2501 to show on any zone. This has been tried on
> > the three zones in the child domain and two zones in the parent. No records
> > are being scavenged.
> >
> > Where should I be looking?
> > --
> > Pete Jones
> >
>
>
> That depends on how soon you are were clicking on Scavenge Now. Check this link out:
> http://eventid.net/display.asp?event...ce=DNS&phase=1
>
>
> Also, there's more to it, too, especially if using DHCP and possibly seeing dupe workstation/laptop records. I have a blog on scavenging that explains this and more. I hope you find it helpful.
>
> DHCP, Dynamic DNS Updates, Scavenging, static entries & timestamps, and the DnsProxyUpdate Group (How to remove duplicate DNS host records)
> http://msmvps.com/blogs/acefekay/arc...te-group..aspx
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.
>
> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
> Microsoft Certified Trainer
> Microsoft MVP - Directory Services
>
> If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
> .
>

"Pete Jones" <> wrote in message news:FF8E9016-55E2-4611-BC0A-...
> The time is not an issue. This is squirly behaviour.
>
> On Friday before I left, I created 4 new zones. 2 on the parent.net and 2 on
> the child.parent.net All zones were Aging and Scavenging set, 1 hour times.
> The servers were set to scavenging on, 1 hour time.
>
> pritest.local
> aditest.local
>
> pritest.child.local
> aditest.child.local
>
> Each had two A records added. The records were called "scav" and "noscav".
> Scav had the timestamp set to 26/3 11:00 for all four zones.
>
> This morning 10:32am 29/3, I checked both servers. Only one zone is missing
> the Scav record. Pritest.local scavenged the record, 26/3 at 15:51. Two
> previous 2501 events did not remove the record.
>
> The two parent zones are now showing the "The zone can be scavenged after"
> times as 29/3 11:00. The two child zones show 26/3 12:00 (aditest.child.net)
> and 1/1/1601 00:00 (pritest.child.net)
> --
> Pete Jones
>

I believe you are skewing 'child' and 'parent' definitions in relation to the zones. If pritest.local, in your example, is the parent domain, then 'child.pritest.local' would be the child, not what you posted. Otherwise they are separate namespaces. Even with a child-parent, if there is no delegation, they are separate namespaces. If you set scavenging at the parent level in your example, it won't work at the child level, based on how you posted it and would be set separately at the other namespaces.

Nonetheless, scavenging is not an exact science or process. After you get past the initial hurdle of instantiating it, it will eventually work fine.

Ace

You misunderstand. The child/parent names are simply to differentiate between
the test zones on the servers.

pritest.child.local is the name of the test zone on the child server. It has
no relation to any of the other zones. It could be named broken.dns.test and
come out with the same results.

The AD namespaces are parent.net and child.parent.net
One DC exists for each. RDC is for parent.net ADC is for child.parent.net

New zones were created to test the problem.

pritest.local is a non-AD-integrated zone on RDC
aditest.local is an AD-I zone on RDC

pritest.child.local is a non-AD-integrated zone on ADC
aditest.child.local is an AD-I zone on ADC

The dns namespaces are not linked, and they are not meant to be. They are
test zones only.

2 servers, with two zones each. Only one server successfully scavenges, and
only on one zone.

This is broken behaviour, and I can't see why. I thought that if it was an
AD problem, then the AD-I zones would both fail to scavenge, but both pritest
zones would work.

Only one zone being scavenged makes it a bigger mystery as to what is going
on.
--
Pete Jones



"Ace Fekay [MVP-DS, MCT]" wrote:

> "Pete Jones" <> wrote in message news:FF8E9016-55E2-4611-BC0A-...
> > The time is not an issue. This is squirly behaviour.
> >
> > On Friday before I left, I created 4 new zones. 2 on the parent.net and 2 on
> > the child.parent.net All zones were Aging and Scavenging set, 1 hour times.
> > The servers were set to scavenging on, 1 hour time.
> >
> > pritest.local
> > aditest.local
> >
> > pritest.child.local
> > aditest.child.local
> >
> > Each had two A records added. The records were called "scav" and "noscav".
> > Scav had the timestamp set to 26/3 11:00 for all four zones.
> >
> > This morning 10:32am 29/3, I checked both servers. Only one zone is missing
> > the Scav record. Pritest.local scavenged the record, 26/3 at 15:51. Two
> > previous 2501 events did not remove the record.
> >
> > The two parent zones are now showing the "The zone can be scavenged after"
> > times as 29/3 11:00. The two child zones show 26/3 12:00 (aditest.child.net)
> > and 1/1/1601 00:00 (pritest.child.net)
> > --
> > Pete Jones
> >
>
> I believe you are skewing 'child' and 'parent' definitions in relation to the zones. If pritest.local, in your example, is the parent domain, then 'child.pritest.local' would be the child, not what you posted. Otherwise they are separate namespaces. Even with a child-parent, if there is no delegation, they are separate namespaces. If you set scavenging at the parent level in your example, it won't work at the child level, based on how you posted it and would be set separately at the other namespaces.
>
> Nonetheless, scavenging is not an exact science or process. After you get past the initial hurdle of instantiating it, it will eventually work fine.
>
> Ace
> .
>

"Pete Jones" <> wrote in message news:140644FB-3F2C-4C55-B246-...
> You misunderstand. The child/parent names are simply to differentiate between
> the test zones on the servers.
>
> pritest.child.local is the name of the test zone on the child server. It has
> no relation to any of the other zones. It could be named broken.dns.test and
> come out with the same results.

I understood. I was commenting on the hierarchal names, and I did also say it doesn't matter whether you did it either way since they are still different namespaces (zones).

>
> The AD namespaces are parent.net and child.parent.net
> One DC exists for each. RDC is for parent.net ADC is for child.parent.net
>
> New zones were created to test the problem.
>
> pritest.local is a non-AD-integrated zone on RDC
> aditest.local is an AD-I zone on RDC
>
> pritest.child.local is a non-AD-integrated zone on ADC
> aditest.child.local is an AD-I zone on ADC
>
> The dns namespaces are not linked, and they are not meant to be. They are
> test zones only.

I understood that... Sometimes I just have to comment on the naming convention used by folks posting. Many times it's a typo, in error, or being obfiscated when trying to tech support an issue and they've transposed it. Hence my reply.


>
> 2 servers, with two zones each. Only one server successfully scavenges, and
> only on one zone.
>
> This is broken behaviour, and I can't see why. I thought that if it was an
> AD problem, then the AD-I zones would both fail to scavenge, but both pritest
> zones would work.
>
> Only one zone being scavenged makes it a bigger mystery as to what is going
> on.
> --
> Pete Jones

I can't tell what's going on. The best to my knowledge, if it was configured, it should just work. There is at least a week or two waiting period for it to fully kick in, too.

Ace