How DNS Aging and Scavenging Works

Table of Contents

DNS aging and scavenging allows an automatic cleanup and removal of stale resource records. This Wiki article
explains how this mechanism works and what you should take care about when you enable it.

What is aging?
Aging is a feature that allows identifying stale DNS records. It actually uses two intervals and a DNS record is
considered as stale once both are elapsed.

These intervals are:

 Non-Refresh Interval: It is a period of time during which a resource record cannot be refreshed (*).
Refusing the refresh during this period of time reduces the replication traffic as there is no need to
replicate the same information again.
 Refresh Interval: It is a period of time during which a resource record could be refreshed (*).

(*) A resource record refresh is a DNS dynamic update where the host name and IP do not change. A DNS
dynamic update to change the registered IP for a resource record is not considered as a refresh and is exempt
from the Non-Refresh Interval.

Example 1:
If the Non-Refresh Interval and the Refresh Interval are seven (7) days then a resource record is considered as
stale if not refreshed after fourteen (14) days.

Example 2:
If the Non-Refresh Interval and the Refresh Interval are seven (7) days then a resource record can be refreshed
after 7 days starting from the last refresh. Once done, a new Non-Refresh Interval period will start.

Even if the Non-Refresh and Refresh intervals were elapsed, a resource record can be refreshed as long as the
record was not removed from the DNS zone. Once done, a new Non-Refresh Interval will start and the record will
no longer be considered as stale.
DNS aging uses the resource record timestamp to identify if it is stale or not.

We can distinguish between two types of resource records:

 Resource records having a timestamp equal to zero (0): These are static records and they never become
stale
 Resource records having a timestamp not equal to zero (0): These are dynamic records and the time
stamp represents the date and time of the last update done on the record (For the time, it represents
the hour of the last refresh / update)

How to convert a dynamic resource record to a static one without re-creating it in

DNS: http://social.technet.microsoft.com/wiki/contents/articles/21726.how-to-convert-a-dynamic-resource-
record-to-a-static-one-without-re-creating-it-in-dns.aspx

What is Scavenging?
Scavenging is a feature that allows the cleanup and removal of stale resource records in DNS zones.

A stale resource record will be removed only if scavenging is enabled on:

 The resource record

 The DNS zone where the resource record exist
 At least one DNS hosting a primary copy of the DNS zone where the resource record exist

Scavenging occurs on recurring interval when enabled on a DNS server. A stale resource record can then still exist
until the next cycle of DNS scavenging.

Example:
If scavenging occurs every Wednesday on a DNS server, Non-Refresh and Refresh intervals are equal to seven (7)
days for each and the last refresh of the DNS record occurred on a Thursday then the resource record will be
removed in the scavenging cycle of the week number four (4).

How to enable DNS aging and scavenging?

To enable DNS aging and scavenging, you need to proceed as follows:

1. Enable DNS aging and scavenging on DNS zones:

 Using DNS administrative tool (dnsmgmt.msc), go to the properties of your DNS zones and then click
onAging…
  Enable Scavenge stale resource records checkbox, specify the Non-Refresh interval and Refresh
interval periods then click on OK

To make DNS aging and scavenging enabled by default for all DNS zones on a DNS server, you need to proceed
like the following:

 Do a right click on the server name and then click on Set Aging/Scavenging for All Zones…

 Enable Scavenge stale resource records checkbox, specify the Non-Refresh interval and Refresh
interval periods then click on OK

 Enable Apply these settings to the existing Active Directory-integrated zones (This will enable DNS
aging and scavenging for the existing Active Directory-integrated zones) and then click on OK

2. Enable DNS scavenging on at least one DNS server hosting primary copies of your DNS zones:

 Go to the properties of your DNS server, go to Advanced tab and then enable Enable automatic
scavenging of stale records check box. Once done, specify the Scavenging period (That is recurring
interval for Scavenging on a DNS server) and click on OK

How is the replication of a DNS

resource record timestamp managed in
AD-Integrated DNS zones?
If DNS aging and scavenging is not enabled on an AD-integrated DNS zone, there is no need to replicate DNS
resource records’ timestamps. This is because this information is needed only for aging and scavenging
mechanism and there is no requirement for this replication if it is not enabled. That is why, when DNS aging and
scavenging is disabled on an AD-integrated DNS zone, the timestamps of resource records on your DC/DNS
servers are not consistent (The resource record timestamp is updated on the DNS server that refreshed the record
and not replicated to other DC/DNS servers).
When DNS aging and scavenging is enabled on an AD-integrated DNS zone, the update of a resource record
timestamp will start to be replicated to other DC/DNS servers. It is then important that the scavenging for the
DNS zone is not done until you are sure that the update of your dynamic resource records was done and
replicated. If not, you can see a bulk removal of DNS records that are legitimate and should not be removed.

Example:
Let’s suppose that you have a dynamic resource record named Computer1 and that you have two Domain
Controllers DC1 and DC2 that are also DNS servers and host AD-integrated DNS zones for your Active Directory
Domain.

Computer1 have made its last DNS record refresh on 12/08/2013 5:03:26 PM on DC1. The timestamp is then
12/08/2013 5:00:00 PM on DC1. Its timestamp on DC2 is 10/25/2013 4:00:00 AM and was not updated as DNS
aging and scavenging was not enabled on the DNS zone.

Let’s suppose now that we have enabled DNS aging and scavenging on the DNS zone on 12/08/2013 at 6PM,
that scavenging is enabled on the server level on DC2 and will run at 7 PM for the next cycle and that Non-
Refresh and Refresh intervals are seven (7) days for each. As Computer1 has not refreshed its DNS record since
we enabled DNS aging and scavenging on the DNS zone and the timestamp on DC2 is 10/25/2013 (Stale record),
DC2 will remove Computer1 resource record as it will consider it as stale. This will not happen if you wait until
Computer1 updates again its DNS record as its timestamp will be replicated and the resource record will not be
considered as stale on DC2.

That is why zone can be scavenged after timestamp is used for DNS zones to start scavenging. It allows having
enough time to refresh and replicate dynamic resource records before starting the scavenging.

You can see this timestamp in Zone Aging/Scavenging Properties if you enable the Advanced view.

How to identify when the next

scavenging cycle will occur on a DNS
server?
After a DNS scavenging cycle on a DNS server, one of the following events will be logged:

 ID 2501 : This is logged when there is DNS records that were scavenged

 ID 2502 : This is logged when no DNS record was scavenged

You need to get the date and time of the last DNS scavenging cycle and add the scavenging period to identify
when the next DNS scavenging cycle will occur.

Example:
If the last DNS scavenging cycle occurred on 12/08/2013 6:00:00 PM and your scavenging period is seven (7) days
then the next DNS scavenging cycle will on 12/15/2013 6:00:00 PM.

How many DNS servers should be used

for DNS scavenging of AD-Integrated
DNS zones?
A single DNS server with DNS scavenging enabled on it is enough to have the DNS scavenging properly done.
Configuring DNS scavenging on many servers is usually not recommended as it makes troubleshooting DNS
scavenging related issues (Example: Removal of legitimate DNS records) more complicated.

Is it possible to force manually a DNS scavenging cycle?

Yes, it is possible to run manually a DNS scavenging cycle. You just need to do a right-click on the DNS server
level and then run Scavenge Stale Resource Records. Note that you need to wait zone can be scavenged
after timestamp (previously discussed) to be reached to be able to run a DNS scavenging cycle manually.

What happens for the resource record AD object when scavenged?

When a resource record is scavenged, it will be deleted from the DNS server in-memory cache. This means that it
is no longer loaded by DNS and no DNS resolution could be done for it. However, its AD object is not
immediately removed. In fact, the resource record dNSTombstoned attribute will be set to TRUE on its AD object
when it is scavenged.

On daily basis and at 2AM, the DNS server will do a scan on AD-integrated zones and identify whether
tombstoned records are ready to be removed or not. By default, the retention period is seven (7) days but this
can be changed by using dnscmd commands with /config /DsTombstoneInterval switch.

Dnscmd: http://technet.microsoft.com/en-us/library/cc772069.aspx

Remark: In case of an update of the resource record while the AD object is still not
removed, dNSTombstoned attribute value will be changed to not set and the resource record will be loaded by
DNS and will again be part of DNS in-memory cache. However, if the update is requested by a computer with a
different SID (Example: a computer was re-installed and join again to the AD domain) then the existing AD object
will be removed without waiting for the end of the retention period and a new one will be created.

Management of SIDs in Active

Directory:http://social.technet.microsoft.com/wiki/contents/articles/20590.management-of-sids-in-active-
directory.aspx
Customized permissions that are applied to DNS records are reset to the default value when these records
are deleted and tombstoned on a Windows Server 2003-based DNS

server: http://support.microsoft.com/kb/952087

The size of the Active Directory increases rapidly on a Windows Server 2003-based or Windows Server
2008 R2-based domain controller that hosts the DNS Server

role: http://support.microsoft.com/kb/2548145/en-us

Is it possible to be informed about DNS records getting stale?

Yes, this could be done using Powershell. You can download the following DNS management module and use the

following script to receive, by mail, the list of stale DNS records periodically: http://dnsshell.codeplex.com/

import-module "C:\DnsShell\DnsShell.psd1"

$smtpServer = "mail.contoso.com"

$mailsender = "notification@contoso.com"

$mailreceiver = "administrator@contoso.com"

$DNSzone = "insead.test"

$agedrecords = $null

$aging = (Get-DnsZone $DNSzone).NoRefreshInterval.TotalMilliseconds + (Get-DnsZone

$DNSzone).RefreshInterval.TotalMilliseconds

foreach ($record in (Get-DnsRecord -ZoneName $DNSzone))

if (($record.timestamp -ne "Static") -and ((Get-Date).Addmilliseconds((-

1)*$aging) -ge $record.timestamp))

$agedrecords += $record.name + "`r`n"

$record.name

if ($agedrecords -ne $null)

{

$msg = new-object Net.Mail.MailMessage

$smtp = new-object Net.Mail.SmtpClient($smtpServer)

$msg.From = $mailsender

$msg.To.Add($mailreceiver)

$msg.Subject = "[Warning] New DNS records are now aged and will be removed
during the next Scavenging Cycle"

$msg.Body = $agedrecords

$smtp.Send($msg)

You will need to update the following variables before using the script:

 $smtpServer: Replace the variable value with your SMTP gateway DNS name or IP address
 $mailsender: Replace the variable value with the notification sender e-mail address you want to use
 $mailreceiver: Replace the variable value with the Active Directory Domain administrator e-mail address
(You can specify a Distribution List e-mail address if the notification need to be sent to a group of
persons)
 $DNSzone: Replace the variable value with the name of the DNS zone to check

Remark: You need also to specify the path of the psd1 file to load (The one you download from the codeplex
project). In the provided script the path is "C:\DnsShell\DnsShell.psd1".

The script can be scheduled to run periodically before each DNS scavenging cycle to report the stale DNS
records.

Other references for DNS Aging and Scavenging:

Don't be afraid of DNS Scavenging. Just be

patient:http://blogs.technet.com/b/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be-

patient.aspx

DNS Scavenging internals (or what is the dnsTombstoned attribute) for AD Integrated
zones:http://blogs.technet.com/b/isrpfeplat/archive/2010/09/23/dns-scavenging-internals-or-what-is-the-

dnstombstoned-attribute-for-ad-integrated-zones-dstombstoneinterval-dnstombstoned.aspx