Enabling DNS Scavenging and DHCP Dynamic updates risk and steps ?

People,

Can anyone here please share what's the steps and the risk when enabling this nice feature in both DNS and DHCP servers ?

Because in my AD joined workstations, there are so many confusion in regards to pinging DNS name (FQDN) returning old or different AD computer name.

what my concern in enabling DNS scavenging in all AD Integrated DNS Server and DHCP servers, does it impact the current server DNS entries that are still online or pingable?

I'm trying to avoid any outage or issue when enabling those two features in all of my DNS servers one by one for the entire AD domain.
LVL 13
Senior IT System EngineerSenior Systems EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

max_the_kingCommented:
Hi,
you can do it but you might cope with some countereffect: it is usually advisable doing it for large environments, where wrong and obsolete DNS names may not allow access to resources.
Personally I try to avoid it: I did it a couple of years ago for a customer and it worked fine, although I had to take care of some errors caused by that.
I found the following link useful, you may want to read it:
http://www.sourceonetechnology.com/housekeeping-active-directory-dns-scavenging/

hope this helps
max
Senior IT System EngineerSenior Systems EngineerAuthor Commented:
Max, what would be the counter effect ?
Care to share please...
max_the_kingCommented:
Hi,
basically, you might have two main issues:

1. you may end up with a few different workstations associated with the same IP address in DNS, which you will have to fix

2. a little mess between kerberos and NTLM authentication when some system process search for IP and gets the wrong workstations name (resulting in a logon failure) from DNS server.

It is nothing really serious, but you need to reserve time to fix it after implementation, and you need to be available at customer's place for a few days, in case some user have problem.

this is from my experience, hopefully it may go all straight for you though

max

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Get Blueprints for Increased Customer Retention

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

Luis MouraCommented:
Hy i use in my enviromment, and never had problem.
Senior IT System EngineerSenior Systems EngineerAuthor Commented:
OK, so do I just enable it straight away on both server at the same time or should I just enable it one by one ?
eg. Scavenging first or DHCP dynamic update first ?
Luis MouraCommented:
Personaly i will do DNS first
max_the_kingCommented:
Hi,
you should tune parameters as indicated here:
http://www.dell.com/support/article/it/it/itbsdt1/sln290564/windows-server--best-practices-for-implementing-dns-aging-and-scavenging?lang=en

at the end you'll eventually get the job done anyway ... just keep in mind that youl'll get records pruned as dhcp registration updates.

max
Senior IT System EngineerSenior Systems EngineerAuthor Commented:
OK, I will do the DNS scavenging change first in the first week, and then followed by the DHCP dynamic update.
Do I need to shorten the DHCP lease from 5 days into just 8 hrs in the next week ?
max_the_kingCommented:
should be good
max
Luis MouraCommented:
You can do both, or first DNS then DHCP.
Senior IT System EngineerSenior Systems EngineerAuthor Commented:
OK, regarding the DNS scavenging, does it only deletes the name (A Record) and CName record that is no longer pingable from the DNS server ?
or will it delete the DNS record with conflicting IP address as well ?
footechCommented:
If you haven't already, you should really read this link (multiple times) to understand scavenging.
https://blogs.technet.microsoft.com/networking/2008/03/19/dont-be-afraid-of-dns-scavenging-just-be-patient/

Once you get to DHCP settings (also covers scavenging), I recommend this link:
https://blogs.msmvps.com/acefekay/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group/

You would have to clarify what exactly you mean by "DHCP dynamic update".  DHCP is always dynamic (it's part of the name).  If you're meaning dynamic DNS updates, you also need to be clear on what you're asking - it's a big topic!
For a DNS zone with AD clients, I would always recommend setting the zone to use only secure dynamic updates, and enabling scavenging (with the proper precautions that you'll see mentioned in the links).  Pretty much any time you have DHCP clients where they will get different IPs, you will end up with stale (incorrect) records - that's where scavenging comes in, to help clean those out.

But if you're looking for perfection (i.e. DNS always has the correct record for all clients, all the time), particularly if you have laptops that switch between wireless and wired connections, you're in for some disappointment.
Senior IT System EngineerSenior Systems EngineerAuthor Commented:
OK, does enable DNS scavenging can cause the existing DNS entry that is used by a server to be deleted?
footechCommented:
It's hard to know exactly how to respond to your question.  You know scavenging deletes records, right?  So of course they have to exist, but the part about "that is used by a server" is a bit vague.

Scavenging only affects records with timestamps that haven't been updated within the period that you specify.  If you need to understand what that means, then I'll suggest to go through the article I linked to again.
Luis MouraCommented:
Everyone helps
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.