Tightening Active Directory-Integrated DNS zone aging

Active Directory-Integrated DNS zones are unique in a way that the Windows clients may be authenticating to the network from a foreign network. This is to prevent Active Directory registrations that can cause record confusion with standing records from reverse lookups. Consider the following scenario; a mobile user with a Windows-based client connects to your network through a VPN technology from a hotel, home network, airport, coffee shop, or other wireless hot spot. The address that would be assigned from that public network may be the same IP scope as that of your internal network. In the event that the remote network assigns the remote client an IP address of a server record on your internal network, the client may register the foreign network address on your internal network. Further, if that address is a record that is already in use, that remote client may have difficulty accessing that resource and there would be an IP address with multiple DNS registrations. Determining the root cause of such issues can be difficult due to the transient nature of the remove connection. Tightening the aging for the DNS zone can help reduce the risk of this situation.

The default configuration is for records to scavenge over a 7 day period. For the Active Directory-Integrated zone that contains the clients that may be subject to this situation. Changing the refresh and no-refresh intervals to a shorter timeframe can make some of these issues dissolve before they become greater. To configure the aging, right-click on the Active Directory-Integrated zone and select properties, the aging button, and configure in a way that would work for your environment similar to the figure shown below:

 Configure aging

Once you tighten the aging interval, new records will be able to escape duplicate registrations by having the tighter timeframe. If the computers that may connect remotely are contained within a separate Active Directory domain from the server resources, the specified configuration can be applied more granularly. When managing multiple Active Directory-Integrated zones, this same task can also be completed with the dnscmd command with the /ageallrecords command.


Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.

Editor's Picks