Danger of Scavenging Stale Resource Records In _msdcs Zone?

OK, so, a quick rundown:

  1. _msdcs is essentially where all those AD-critical SRV records are kept.
  2. All your servers which need SRV records should be registering and refreshing them via dynamic DNS. You're (hopefully) not building your SRV records by hand.
  3. The netlogon service performs DDNS refresh, with a according to this a default refresh frequency of 1 hour. But according to this, it refreshes every 24 hours - it's what I observe in the timestamps of my own SRV records as well.
    • Also be aware, DDNS updates have a dependency on the DHCP Client service, so don't disable the DHCP Client service even if your servers are statically addressed.
  4. The default scavenging interval is 7 days. Scavenging removes any dynamic record whose timestamp is older than (todaysdate - scavengeinterval); those records would remain until deleted (either manually or by some other process like a DC demotion) if there were no scavenging. Scavenging does not touch static records (those you created by hand) unless you explicitly allow scavenging for the record.

So, keeping all this in mind, you should be fine with scavenging, as long as you are not scavenging more often than your records can refresh themselves. You can verify that your records really are refreshing themselves by taking a short look through the timestamps in whatever zone you are considering scavenging.

IMHO, scavenging is always a good idea, and yes this includes the _msdcs zone. If a DC stops refreshing its DNS records, scavenging will automatically remove those records and that's a good thing - you wouldn't want people resolving to broken DCs.

I consider the article Don't be afraid of DNS Scavenging. Just be patient. to be the canonical best practice for Windows DNS scavenging.


Scavenge it, I say!

Everything in there is automatically populated by the DCs, as long as they're allowed to - as long as you're not scavenging it ridiculously frequently then there should be no problem.