I just realized that a previous admin turned DNS scavenging on for all zones on one of the DCs, including the _msdcs zone. It’s been this way for a while and things are fine, but I can’t imagine that this is best practice.
Is there any danger to scavenging the _msdcs zone?
Should I make it so that zone is not scavenged?
Could scavenging have broken anything in that zone that I’m unaware of at this time?
OK, so, a quick rundown:
- _msdcs is essentially where all those AD-critical SRV records are kept.
- All your servers which need SRV records should be registering and refreshing them via dynamic DNS. You’re (hopefully) not building your SRV records by hand.
- The netlogon service performs DDNS refresh, with a according to this a default refresh frequency of 1 hour. But according to this, it refreshes every 24 hours – it’s what I observe in the timestamps of my own SRV records as well.
- Also keep in mind, DDNS updates also have a dependency on the DHCP Client service, so don’t disable the DHCP Client service even if your servers are statically addressed.
- The default scavenging interval is 7 days. Scavenging removes any record whose timestamp is older than (todaysdate – scavengeinterval); those records would remain until deleted (either manually or by some other process like a DC demotion) if there were no scavenging.
So, keeping all this in mind, you should be fine with scavenging, as long as you are not scavenging more often than your records can refresh themselves. You can verify that your records really are refreshing themselves by taking a short look through the timestamps in whatever zone you are considering scavenging.
IMHO, scavenging is a good idea on all zones where DDNS registration is the norm, and yes this includes the _msdcs zone. If a DC stops refreshing its DNS records, scavenging will automatically remove those records and that’s a good thing – you wouldn’t want people resolving to broken DCs.
I consider the article Don’t be afraid of DNS Scavenging. Just be patient. to be the canonical best practice for Windows DNS scavenging.
- Danger of Scavenging State Resource Records In _msdcs Zone?
- The Active Directory integrated DNS zone _msdcs.COMPANY.LOCAL was not found
- Does _msdcs needs to have Zone Transfer enabled with 2 domain controllers
- A and CNAME records vanish overnight on AD Integrated DNS zone
- Find all records in DNS zone without zone transfer enabled
Leave a comment
- Is there a way for administrators to disable users from installing Firefox extensions?
- Is there research material on NTP accuracy available?
- How to create a limited “domain admin” that does not have access to domain controllers?
- Can Windows RDC admin users be immune from being kicked?
- Domain Administrators account policy (After PCI audit)