1. DNS Scavenging is almost always necessary. Unless you are managing all your DNS records manually, you really do need scavenging enabled to prevent duplicate DNS records and stale records for decommissioned servers. Without scavenging, you are much more likely to end up in a situation where two records exist for the same name, then you have a Round-Robin issue where half the time the resolution works and half the time it doesn't.
2. What the heck are the No-Refresh / Refresh intervals? In simple terms, the No-Refresh interval is the amount of time that the record is not allowed to be updated. This is to reduce DNS replication traffic. The Refresh interval is the amount of time that the record is able to be refreshed, before it is scavenged. I've seen many places where they set the No-Refresh interval to 7 days and the Refresh interval to 1 day. Unfortunately this drastically increases the likelihood of losing records.
3. Should I leave the No-Refresh / Refresh intervals at the default? Usually no. Microsoft recommends setting the No-Refresh and Refresh intervals to match the length of the DHCP lease. This is to prevent two names pointing to the same IP address and causing reverse DNS lookup issues. What I find humorous is that the default for No-Refresh and Refresh intervals are both 7 days, but the default DHCP lease is 8 days. That means that out of the box, if you enable DNS Scavenging you are going to be likely running into issues.
4. Where do I enable DNS Scavenging? There are really two places that it needs to be enabled, and this is where I see most of the issues when scavenging isn't running at all. First, you need to pick a DNS Server in your environment to be the server that does the scavenging. There is no benefit to enabling it on multiple servers unless they host different zones. Having it enabled on multiple servers for the same zone can cause many issues when the scavenging runs at the same time. Right-click the DNS Server, then select Properties. On the Advanced tab, check the box to Enable scavenging. The Scavenging Period is how often you want the Scavenging to run. The default is 7 days, but I prefer to have it run every day.
5. Is there anything I should do prior to enabling scavenging? YES!!!
- I recommend exporting a list of all your DNS records, in case you need to add any static entries after scavenging runs. You can do this by clicking on the DNS Zone and waiting for all the records to enumerate. Then right-click the DNS Zone and select Export List.
- Check all your servers to see the timestamps if they are not static entries. This will tell you whether updates are happening for your important records.
- If you want to be extra careful, you can prevent a record from getting scavenged by selecting View, Advanced in the DNS Manager, then double-clicking on your DNS entry. You will now see a box that says Delete this record when it becomes stale. To prevent a record from being scavenged, simple uncheck this box. Prior to implementing DNS Scavening, I highly recommend doing this to every server, just as a safety net to make sure nothing critical is scavenged by accident.
This is not intended to be an exhaustive list of everything related to DNS Scavenging. My intent was just to demystify some of these settings for sysadmins so they can feel more comfortable enabling these features.
No comments:
Post a Comment