Hi,
We are having some problems inside our 2008 R2 domain where production servers are losing their DNS entries and causing all sorts of grief for all IT Administrators.
Before I begin here's some info on our site:
1. Recently (September 2013) migrated from AD2003 to AD2008, all services appeared to work fine with no issues reported;
2. 4 Subnets defined - Servers/Workstations/WIFI/Printers (WIFI to us is defined as wireless handheld devices in our warehouse)
3. IP Class is 172.16.1.0/24 (Servers), 172.16.2.0/24 (Workstations), 172.16.3.0/24 (WIFI) & 172.16.4.0/24 (Printers)
4. DHCP is set with a superscope and all 4 subnets have their own scope underneath that. (All scopes except Workstations are set to have zero available IP addresses as we want all workstations to hit the workstation subnet. Any WIFI, Printer or Server devices have either static IP addresses or a DHCP reservation set.)
5. We have HP Switches across the building that have been correctly set with VLAN tagging for each subnet and one core switch that acts as the router with the gateway IP address for each subnet set to a switch port.
Now, all works fine from a network perspective, workstations talk to each other and servers properly and AD is authenticating as it should. Printers talk on their own VLAN and happily accept print requests from our various print servers be it our Windows Print server or ERP (JDE) print server. Our network works fine and when before we had performance issues since our HP switches were configured correctly (by a 3rd party vendor) we've seen significant performance increases.
The main problem we have is that all of a sudden we are seeing DNS issues with probably the most important server in our network, the ERP SQL server. On Friday the DNS entry for the server had completely vanished and as a result everything ERP related crashed and burned spectacularly. This left us, the IT Team, with massive egg on our faces as we scrambled (no pun intended) to work out who/what/why/when/how.
I noticed on Friday that the server in question had a dynamic entry (it has a static IP address) so we changed that to a static entry and we also made sure to untick the "Delete this record when it becomes stale" in the advanced settings. What I have also found is that I believe that our Aging, Refresh/No Refresh, Scavenging and DHCP lease intervals are not set correctly and could very well be the root cause for our problems.
To begin, because we are always "red-lining" on our available IP addresses in the workstation scope we have our lease period set to4 hours, this is because each laptop we have (we have more laptops than desktops) and they were connecting to both the LAN and the available guest WIFI hotspots we have. It's important to note that the WIFI for laptops sits in the Workstation Scope and NOT the WIFI scope, as previously explained our WIFI scope/subnet is purely for RF handheld devices in the warehouse and we don't want these mixed up.
So, with the DHCP lease set to 4 hours it means that we need to keep DNS up to date or we get Kerebos ticket errors when UNC'ing to client machines and any server that relies on FQDN also gets smacked, particularly in our case our Kaspersky AV server that uses FQDN over IP address.
So it was decided that we'd need to enable scavenging and set aging periods appropriately, I did not configure these settings but what I have found is the following:
Automatic Scavenging is enabled on 1 DNS server, our "Primary" Domain Controller;
Scavenging Period is 1 Day;
In the Forward Lookup Zone, for our domain "DomainName.local", the "Scavenge Stale Records" is enabled (ticked) and the Refresh/No-Refresh interval is set to8 hours for both;
For the zone "_msdcs.DomainName.local" the "Scavenge Stale Records" is enabled but the Refresh/No-Refresh interval is set to4 hours for both.
In the Reverse Lookup Zone for each IP Subnet they too are also enabled for "Scavenge Stale Records" and the Refresh/No-Refresh interval is set to4 hours for both in all sub zones under the main Reverse Lookup Zone.
I am of the belief that these settings are a complete mess and are the root cause for our DNS related issues but I need to be absolutely confident that this is the problem when I present this to my manager.
I have read that the Refresh/No-Refresh interval combined should equal or be close to the DHCP Lease period but because of my limited knowledge on DNS scavenging I just need some pointers on what the settings should be configured for our network keeping in mind that we have laptops coming and going every day and we need avaiable IP addresses for when they connect to the network.
If you need me to provide screenshots I'm happy to do that, or if you need more information about our setup I'm happy to divulge.
Thank you for reading my gigantic post and I hope that a superhero is close by to save my day.
Thanks.