S
stevedub40
Hi guys,
So after working with WSUS and client patching I have noticed that we had a large number of stale DNS entries, which led me to discover that we have no sort of DNS scavenging in place. I have read quite a few articles on the proper configuration for this, which has me a bit scared that I may make a mistake, so I'm not sure if I want to enable "Secured" only updates and use the DNS credentials on the DC/DHCP servers.
One of the articles I read was the following:
How DNS Scavenging and the DHCP Lease Duration Relate
What I was thinking of doing was simply enabling scavenging and lower the no-refresh/refresh days to 4, as suggested in option 2. After I enabled this I later discovered that all of our Windows 2016 servers and zone (same as parent folder) records had time stamps which means they would be susceptible to scavenging, so I disabled this immediately. I did a lot of Google searches on this topic, as it wasn't clear how frequently these statically assigned servers refreshed, but everything I found seemed to be old info and I'm not sure if it applies. Right now It looks like all but one server show a timestamp of 8/24 (it's 8/27 now), so it seems like it is days for these to update. Everything I read said that servers update every 24 hours, but this does not seem to be the case.
Here is some information on our environment which I would like some (current) advice for:
I'm just worried that if I enable scavenging that my servers will get wiped out if not set correctly. I'm also worried if I don't enable scavenging now I will have quite a mess later on, as we have laptops that travel to different offices, which have different vlans. We also have remote retail stores that utilize our Meraki gear for address leases, so either Windows or Meraki can assign an address.
Any assistance would be greatly appreciated. You guys are always extremely helpful.
Thanks,
Steve
Continue reading...
So after working with WSUS and client patching I have noticed that we had a large number of stale DNS entries, which led me to discover that we have no sort of DNS scavenging in place. I have read quite a few articles on the proper configuration for this, which has me a bit scared that I may make a mistake, so I'm not sure if I want to enable "Secured" only updates and use the DNS credentials on the DC/DHCP servers.
One of the articles I read was the following:
How DNS Scavenging and the DHCP Lease Duration Relate
What I was thinking of doing was simply enabling scavenging and lower the no-refresh/refresh days to 4, as suggested in option 2. After I enabled this I later discovered that all of our Windows 2016 servers and zone (same as parent folder) records had time stamps which means they would be susceptible to scavenging, so I disabled this immediately. I did a lot of Google searches on this topic, as it wasn't clear how frequently these statically assigned servers refreshed, but everything I found seemed to be old info and I'm not sure if it applies. Right now It looks like all but one server show a timestamp of 8/24 (it's 8/27 now), so it seems like it is days for these to update. Everything I read said that servers update every 24 hours, but this does not seem to be the case.
Here is some information on our environment which I would like some (current) advice for:
- All user clients are Windows 10 1809, majority are laptops that frequently travel
- DHCP server is set to default 8 day lease with ~10 scopes for the different vlans
- DHCP server is also the domain controller, which has a failover releationship to DC2
- There are 3 DC's that are grouped in the same site, as there is only one currently
- All servers are Windows 2016 1607, including DC's
- All servers reside on a vSphere 6.7u2 cluster
- No scavenging settings currently configured
I'm just worried that if I enable scavenging that my servers will get wiped out if not set correctly. I'm also worried if I don't enable scavenging now I will have quite a mess later on, as we have laptops that travel to different offices, which have different vlans. We also have remote retail stores that utilize our Meraki gear for address leases, so either Windows or Meraki can assign an address.
Any assistance would be greatly appreciated. You guys are always extremely helpful.
Thanks,
Steve
Continue reading...