I've been working on cleaning up our DNS/DHCP and I'm about ready to turn on scavenging (it's never been enabled) to start cleaning up some old records, but before I do, I wanted to check something.
Under DNS > Forward Lookup Zones I have a _msdcs.company.local
zone that is updating but I also have an _msdcs
folder under the company.local
zone and the records in this folder are not updating. I have scavenging set on the company.local zone and from the looks of things everything under that folder is going to get scavenged.
Should the _msdcs
folder under the company.local
zone be updating or is the _msdcs.company.local
zone good enough?
I don't have enough reputation to post images but perhaps the below diagram will help
-_msdcs.domain.local +dc +domains +gc +pdc -domain.local -_msdcs +dc +domains +gc -_sites -_tcp -_udp -_DomainDnsZone -_ForestDnsZone
Just want to make sure I don't scavenge records that are going to break DNS
The
_msdcs.company.local
zone is the one being used for lookups, since it's more specific - the copies in thecompany.local
zone are not being used to answer queries (which you can verify by making a change there and checking the response) and can be safely dumped.Assuming that your AD DNS infrastructure was implemented with Windows Server 2008 or Windows Server 2008 R2, and not a hold out from Windows Server 2000 or 2003, then the _msdcs.company.local sub-domain that you're referring to is a delegated zone. You shouldn't actually see anything in the sub-domain except for an NS record for the DC/DNS server that the zone has been delegated to. On each DC/DNS server this NS will be the server itself, as each DC/DNS server is authoritative for it's own copy of the AD integrated DNS zones. Can you post a screen shot of your zones?
Scavenging is not enabled by default on _msdcs. You may want to think about that before proceeding.
Before you enable scavenging on the domain zones, you need to ensure that scavenging is disabled on all DNS servers. When scavenging is disabled on the zone, the timestamps are not replicated. After re-enabling scavenging on the zone, you need to allow time for all machines to update their records and have their timestamps replicated. After two or three weeks, you should be able re-enable scavenging at the server level.
Computers that are configured to automatically register in DNS do so every 24 hours. Before re-enabling at the server level, you may want to export the list of records (so that you can properly sort by datetime) and spot check for records that are not updating but should be. One scenario where this can occur is if you require secure updates, but a computer may have been re-imaged at some point. In that case, the new computer account may not have permission to update the record.
The steps and sequence for setting up scavenging are described in this article:
http://blogs.technet.com/b/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be-patient.aspx