Академический Документы
Профессиональный Документы
Культура Документы
Table of Contents
DNS aging and scavenging allows an automatic cleanup and removal of stale resource records. This Wiki article
explains how this mechanism works and what you should take care about when you enable it.
What is aging?
Aging is a feature that allows identifying stale DNS records. It actually uses two intervals and a DNS record is
considered as stale once both are elapsed.
Non-Refresh Interval: It is a period of time during which a resource record cannot be refreshed (*).
Refusing the refresh during this period of time reduces the replication traffic as there is no need to
replicate the same information again.
Refresh Interval: It is a period of time during which a resource record could be refreshed (*).
(*) A resource record refresh is a DNS dynamic update where the host name and IP do not change. A DNS
dynamic update to change the registered IP for a resource record is not considered as a refresh and is exempt
from the Non-Refresh Interval.
Example 1:
If the Non-Refresh Interval and the Refresh Interval are seven (7) days then a resource record is considered as
stale if not refreshed after fourteen (14) days.
Example 2:
If the Non-Refresh Interval and the Refresh Interval are seven (7) days then a resource record can be refreshed
after 7 days starting from the last refresh. Once done, a new Non-Refresh Interval period will start.
Even if the Non-Refresh and Refresh intervals were elapsed, a resource record can be refreshed as long as the
record was not removed from the DNS zone. Once done, a new Non-Refresh Interval will start and the record will
no longer be considered as stale.
DNS aging uses the resource record timestamp to identify if it is stale or not.
Resource records having a timestamp equal to zero (0): These are static records and they never become
stale
Resource records having a timestamp not equal to zero (0): These are dynamic records and the time
stamp represents the date and time of the last update done on the record (For the time, it represents
the hour of the last refresh / update)
What is Scavenging?
Scavenging is a feature that allows the cleanup and removal of stale resource records in DNS zones.
Scavenging occurs on recurring interval when enabled on a DNS server. A stale resource record can then still exist
until the next cycle of DNS scavenging.
Example:
If scavenging occurs every Wednesday on a DNS server, Non-Refresh and Refresh intervals are equal to seven (7)
days for each and the last refresh of the DNS record occurred on a Thursday then the resource record will be
removed in the scavenging cycle of the week number four (4).
Using DNS administrative tool (dnsmgmt.msc), go to the properties of your DNS zones and then click
onAging…
Enable Scavenge stale resource records checkbox, specify the Non-Refresh interval and Refresh
interval periods then click on OK
To make DNS aging and scavenging enabled by default for all DNS zones on a DNS server, you need to proceed
like the following:
Do a right click on the server name and then click on Set Aging/Scavenging for All Zones…
Enable Scavenge stale resource records checkbox, specify the Non-Refresh interval and Refresh
interval periods then click on OK
Enable Apply these settings to the existing Active Directory-integrated zones (This will enable DNS
aging and scavenging for the existing Active Directory-integrated zones) and then click on OK
2. Enable DNS scavenging on at least one DNS server hosting primary copies of your DNS zones:
Go to the properties of your DNS server, go to Advanced tab and then enable Enable automatic
scavenging of stale records check box. Once done, specify the Scavenging period (That is recurring
interval for Scavenging on a DNS server) and click on OK
Example:
Let’s suppose that you have a dynamic resource record named Computer1 and that you have two Domain
Controllers DC1 and DC2 that are also DNS servers and host AD-integrated DNS zones for your Active Directory
Domain.
Computer1 have made its last DNS record refresh on 12/08/2013 5:03:26 PM on DC1. The timestamp is then
12/08/2013 5:00:00 PM on DC1. Its timestamp on DC2 is 10/25/2013 4:00:00 AM and was not updated as DNS
aging and scavenging was not enabled on the DNS zone.
Let’s suppose now that we have enabled DNS aging and scavenging on the DNS zone on 12/08/2013 at 6PM,
that scavenging is enabled on the server level on DC2 and will run at 7 PM for the next cycle and that Non-
Refresh and Refresh intervals are seven (7) days for each. As Computer1 has not refreshed its DNS record since
we enabled DNS aging and scavenging on the DNS zone and the timestamp on DC2 is 10/25/2013 (Stale record),
DC2 will remove Computer1 resource record as it will consider it as stale. This will not happen if you wait until
Computer1 updates again its DNS record as its timestamp will be replicated and the resource record will not be
considered as stale on DC2.
That is why zone can be scavenged after timestamp is used for DNS zones to start scavenging. It allows having
enough time to refresh and replicate dynamic resource records before starting the scavenging.
You can see this timestamp in Zone Aging/Scavenging Properties if you enable the Advanced view.
ID 2501 : This is logged when there is DNS records that were scavenged
You need to get the date and time of the last DNS scavenging cycle and add the scavenging period to identify
when the next DNS scavenging cycle will occur.
Example:
If the last DNS scavenging cycle occurred on 12/08/2013 6:00:00 PM and your scavenging period is seven (7) days
then the next DNS scavenging cycle will on 12/15/2013 6:00:00 PM.
Yes, it is possible to run manually a DNS scavenging cycle. You just need to do a right-click on the DNS server
level and then run Scavenge Stale Resource Records. Note that you need to wait zone can be scavenged
after timestamp (previously discussed) to be reached to be able to run a DNS scavenging cycle manually.
When a resource record is scavenged, it will be deleted from the DNS server in-memory cache. This means that it
is no longer loaded by DNS and no DNS resolution could be done for it. However, its AD object is not
immediately removed. In fact, the resource record dNSTombstoned attribute will be set to TRUE on its AD object
when it is scavenged.
On daily basis and at 2AM, the DNS server will do a scan on AD-integrated zones and identify whether
tombstoned records are ready to be removed or not. By default, the retention period is seven (7) days but this
can be changed by using dnscmd commands with /config /DsTombstoneInterval switch.
Dnscmd: http://technet.microsoft.com/en-us/library/cc772069.aspx
Remark: In case of an update of the resource record while the AD object is still not
removed, dNSTombstoned attribute value will be changed to not set and the resource record will be loaded by
DNS and will again be part of DNS in-memory cache. However, if the update is requested by a computer with a
different SID (Example: a computer was re-installed and join again to the AD domain) then the existing AD object
will be removed without waiting for the end of the retention period and a new one will be created.
server: http://support.microsoft.com/kb/952087
The size of the Active Directory increases rapidly on a Windows Server 2003-based or Windows Server
2008 R2-based domain controller that hosts the DNS Server
role: http://support.microsoft.com/kb/2548145/en-us
Yes, this could be done using Powershell. You can download the following DNS management module and use the
following script to receive, by mail, the list of stale DNS records periodically: http://dnsshell.codeplex.com/
import-module "C:\DnsShell\DnsShell.psd1"
$smtpServer = "mail.contoso.com"
$mailsender = "notification@contoso.com"
$mailreceiver = "administrator@contoso.com"
$DNSzone = "insead.test"
$agedrecords = $null
$record.name
$msg.From = $mailsender
$msg.To.Add($mailreceiver)
$msg.Subject = "[Warning] New DNS records are now aged and will be removed
during the next Scavenging Cycle"
$msg.Body = $agedrecords
$smtp.Send($msg)
You will need to update the following variables before using the script:
$smtpServer: Replace the variable value with your SMTP gateway DNS name or IP address
$mailsender: Replace the variable value with the notification sender e-mail address you want to use
$mailreceiver: Replace the variable value with the Active Directory Domain administrator e-mail address
(You can specify a Distribution List e-mail address if the notification need to be sent to a group of
persons)
$DNSzone: Replace the variable value with the name of the DNS zone to check
Remark: You need also to specify the path of the psd1 file to load (The one you download from the codeplex
project). In the provided script the path is "C:\DnsShell\DnsShell.psd1".
The script can be scheduled to run periodically before each DNS scavenging cycle to report the stale DNS
records.
patient.aspx
DNS Scavenging internals (or what is the dnsTombstoned attribute) for AD Integrated
zones:http://blogs.technet.com/b/isrpfeplat/archive/2010/09/23/dns-scavenging-internals-or-what-is-the-
dnstombstoned-attribute-for-ad-integrated-zones-dstombstoneinterval-dnstombstoned.aspx