Enabling DNS Scavenging and DHCP Dynamic updates risk and steps ?

Senior IT System Engineer
Senior IT System Engineer used Ask the Experts™
on
People,

Can anyone here please share what's the steps and the risk when enabling this nice feature in both DNS and DHCP servers ?

Because in my AD joined workstations, there are so many confusion in regards to pinging DNS name (FQDN) returning old or different AD computer name.

what my concern in enabling DNS scavenging in all AD Integrated DNS Server and DHCP servers, does it impact the current server DNS entries that are still online or pingable?

I'm trying to avoid any outage or issue when enabling those two features in all of my DNS servers one by one for the entire AD domain.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Hi,
you can do it but you might cope with some countereffect: it is usually advisable doing it for large environments, where wrong and obsolete DNS names may not allow access to resources.
Personally I try to avoid it: I did it a couple of years ago for a customer and it worked fine, although I had to take care of some errors caused by that.
I found the following link useful, you may want to read it:
http://www.sourceonetechnology.com/housekeeping-active-directory-dns-scavenging/

hope this helps
max

Author

Commented:
Max, what would be the counter effect ?
Care to share please...
Hi,
basically, you might have two main issues:

1. you may end up with a few different workstations associated with the same IP address in DNS, which you will have to fix

2. a little mess between kerberos and NTLM authentication when some system process search for IP and gets the wrong workstations name (resulting in a logon failure) from DNS server.

It is nothing really serious, but you need to reserve time to fix it after implementation, and you need to be available at customer's place for a few days, in case some user have problem.

this is from my experience, hopefully it may go all straight for you though

max
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Hy i use in my enviromment, and never had problem.

Author

Commented:
OK, so do I just enable it straight away on both server at the same time or should I just enable it one by one ?
eg. Scavenging first or DHCP dynamic update first ?
Personaly i will do DNS first
Hi,
you should tune parameters as indicated here:
http://www.dell.com/support/article/it/it/itbsdt1/sln290564/windows-server--best-practices-for-implementing-dns-aging-and-scavenging?lang=en

at the end you'll eventually get the job done anyway ... just keep in mind that youl'll get records pruned as dhcp registration updates.

max

Author

Commented:
OK, I will do the DNS scavenging change first in the first week, and then followed by the DHCP dynamic update.
Do I need to shorten the DHCP lease from 5 days into just 8 hrs in the next week ?
should be good
max
You can do both, or first DNS then DHCP.

Author

Commented:
OK, regarding the DNS scavenging, does it only deletes the name (A Record) and CName record that is no longer pingable from the DNS server ?
or will it delete the DNS record with conflicting IP address as well ?
Top Expert 2014
Commented:
If you haven't already, you should really read this link (multiple times) to understand scavenging.
https://blogs.technet.microsoft.com/networking/2008/03/19/dont-be-afraid-of-dns-scavenging-just-be-patient/

Once you get to DHCP settings (also covers scavenging), I recommend this link:
https://blogs.msmvps.com/acefekay/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group/

You would have to clarify what exactly you mean by "DHCP dynamic update".  DHCP is always dynamic (it's part of the name).  If you're meaning dynamic DNS updates, you also need to be clear on what you're asking - it's a big topic!
For a DNS zone with AD clients, I would always recommend setting the zone to use only secure dynamic updates, and enabling scavenging (with the proper precautions that you'll see mentioned in the links).  Pretty much any time you have DHCP clients where they will get different IPs, you will end up with stale (incorrect) records - that's where scavenging comes in, to help clean those out.

But if you're looking for perfection (i.e. DNS always has the correct record for all clients, all the time), particularly if you have laptops that switch between wireless and wired connections, you're in for some disappointment.

Author

Commented:
OK, does enable DNS scavenging can cause the existing DNS entry that is used by a server to be deleted?
Top Expert 2014
Commented:
It's hard to know exactly how to respond to your question.  You know scavenging deletes records, right?  So of course they have to exist, but the part about "that is used by a server" is a bit vague.

Scavenging only affects records with timestamps that haven't been updated within the period that you specify.  If you need to understand what that means, then I'll suggest to go through the article I linked to again.
Everyone helps

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial