Sep 12, 2011
tom

Danger of Scavenging Stale Resource Records In _msdcs Zone?

Question

I just realized that a previous admin turned DNS scavenging on for all zones on one of the DCs, including the _msdcs zone. It’s been this way for a while and things are fine, but I can’t imagine that this is best practice.

Is there any danger to scavenging the _msdcs zone?
Should I make it so that zone is not scavenged?
Could scavenging have broken anything in that zone that I’m unaware of at this time?

Answer

OK, so, a quick rundown:

  1. _msdcs is essentially where all those AD-critical SRV records are kept.
  2. All your servers which need SRV records should be registering and refreshing them via dynamic DNS. You’re (hopefully) not building your SRV records by hand.
  3. The netlogon service performs DDNS refresh, with a according to this a default refresh frequency of 1 hour. But according to this, it refreshes every 24 hours – it’s what I observe in the timestamps of my own SRV records as well.
  4. The default scavenging interval is 7 days. Scavenging removes any record whose timestamp is older than (todaysdate – scavengeinterval); those records would remain until deleted (either manually or by some other process like a DC demotion) if there were no scavenging.

So, keeping all this in mind, you should be fine with scavenging, as long as you are not scavenging more often than your records can refresh themselves. You can verify that your records really are refreshing themselves by taking a short look through the timestamps in whatever zone you are considering scavenging.

IMHO, scavenging is a good idea on all zones where DDNS registration is the norm, and yes this includes the _msdcs zone. If a DC stops refreshing its DNS records, scavenging will automatically remove those records and that’s a good thing – you wouldn’t want people resolving to broken DCs.

I consider the article Don’t be afraid of DNS Scavenging. Just be patient. to be the canonical best practice for Windows DNS scavenging.

Related posts:

  1. Danger of Scavenging State Resource Records In _msdcs Zone?
  2. The Active Directory integrated DNS zone _msdcs.COMPANY.LOCAL was not found
  3. Does _msdcs needs to have Zone Transfer enabled with 2 domain controllers
  4. A and CNAME records vanish overnight on AD Integrated DNS zone
  5. Find all records in DNS zone without zone transfer enabled

Leave a comment