DNS aging and scavenging allows an automatic cleanup and removal of stale resource records. This Wiki article explains how this mechanism works and what you should take care about when you enable it.

What is aging?

Aging is a feature that allows identifying stale DNS records. It actually uses two intervals and a DNS record is considered as stale once both are elapsed.

These intervals are:

  • Non-Refresh Interval: It is a period of time during which a resource record cannot be refreshed (*). Refusing the refresh during this period of time reduces the replication traffic as there is no need to replicate the same information again.
  • Refresh Interval: It is a period of time during which a resource record could be refreshed (*).

(*) A resource record refresh is a DNS dynamic update where the host name and IP do not change. A DNS dynamic update to change the registered IP for a resource record is not considered as a refresh and is exempt from the Non-Refresh Interval.

Example 1:

If the Non-Refresh Interval and the Refresh Interval are seven (7) days then a resource record is considered as stale if not refreshed after fourteen (14) days.

Example 2:

If the Non-Refresh Interval and the Refresh Interval are seven (7) days then a resource record can be refreshed after 7 days starting from the last refresh. Once done, a new Non-Refresh Interval period will start.








Even if the Non-Refresh and Refresh intervals were elapsed, a resource record can be refreshed as long as the record was not removed from the DNS zone. Once done, a new Non-Refresh Interval will start and the record will no longer be considered as stale.

DNS aging uses the resource record timestamp to identify if it is stale or not.  

We can distinguish between two types of resource records:

  • Resource records having a timestamp equal to zero (0): These are static records and they never become stale
  • Resource records having a timestamp not equal to zero (0): These are dynamic records and the time stamp represents the date and time of the last update done on the record (For the time, it represents the hour of the last refresh / update)



How to convert a dynamic resource record to a static one without re-creating it in DNShttp://social.technet.microsoft.com/wiki/contents/articles/21726.how-to-convert-a-dynamic-resource-record-to-a-static-one-without-re-creating-it-in-dns.aspx

What is Scavenging?

Scavenging is a feature that allows the cleanup and removal of stale resource records in DNS zones.

A stale resource record will be removed only if scavenging is enabled on:

  • The resource record
  • The DNS zone where the resource record exist
  • At least one DNS hosting a primary copy of the DNS zone where the resource record exist

Scavenging occurs on recurring interval when enabled on a DNS server. A stale resource record can then still exist until the next cycle of DNS scavenging.

Example:

If scavenging occurs every Wednesday on a DNS server, Non-Refresh and Refresh intervals are equal to seven (7) days for each and the last refresh of the DNS record occurred on a Thursday then the resource record will be removed in the scavenging cycle of the week number four (4).

How to enable DNS aging and scavenging?

To enable DNS aging and scavenging, you need to proceed as follows:

1. Enable DNS aging and scavenging on DNS zones:

  • Using DNS administrative tool (dnsmgmt.msc), go to the properties of your DNS zones and then click on Aging…

  • Enable Scavenge stale resource records checkbox, specify the Non-Refresh interval and Refresh interval periods then click on OK

To make DNS aging and scavenging enabled by default for all DNS zones on a DNS server, you need to proceed like the following:

  • Do a right click on the server name and then click on Set Aging/Scavenging for All Zones…

  • Enable Scavenge stale resource records checkbox, specify the Non-Refresh interval and Refresh interval periods then click on OK

  • Enable Apply these settings to the existing Active Directory-integrated zones (This will enable DNS aging and scavenging for the existing Active Directory-integrated zones) and then click on OK



2. Enable DNS scavenging on at least one DNS server hosting primary copies of your DNS zones:

  • Go to the properties of your DNS server, go to Advanced tab and then enable Enable automatic scavenging of stale records check box. Once done, specify the Scavenging period (That is recurring interval for Scavenging on a DNS server)  and click on OK

How is the replication of a DNS resource record timestamp managed in AD-Integrated DNS zones?

If DNS aging and scavenging is not enabled on an AD-integrated DNS zone, there is no need to replicate DNS resource records’ timestamps. This is because this information is needed only for aging and scavenging mechanism and there is no requirement for this replication if it is not enabled. That is why, when DNS aging and scavenging is disabled on an AD-integrated DNS zone, the timestamps of resource records on your DC/DNS servers are not consistent (The resource record timestamp is updated on the DNS server that refreshed the record and not replicated to other DC/DNS servers).

When DNS aging and scavenging is enabled on an AD-integrated DNS zone, the update of a resource record timestamp will start to be replicated to other DC/DNS servers. It is then important that the scavenging for the DNS zone is not done until you are sure that the update of your dynamic resource records was done and replicated. If not, you can see a bulk removal of DNS records that are legitimate and should not be removed.

Example:

Let’s suppose that you have a dynamic resource record named Computer1 and that you have two Domain Controllers DC1 and DC2 that are also DNS servers and host AD-integrated DNS zones for your Active Directory Domain.

Computer1 have made its last DNS record refresh on 12/08/2013 5:03:26 PM on DC1. The timestamp is then 12/08/2013 5:00:00 PM on DC1. Its timestamp on DC2 is 10/25/2013 4:00:00 AM and was not updated as DNS aging and scavenging was not enabled on the DNS zone.

Let’s suppose now that we have enabled DNS aging and scavenging on the DNS zone on 12/08/2013 at 6PM, that scavenging is enabled on the server level on DC2 and will run at 7 PM for the next cycle and that Non-Refresh and Refresh intervals are seven (7) days for each. As Computer1 has not refreshed its DNS record since we enabled DNS aging and scavenging on the DNS zone and the timestamp on DC2 is 10/25/2013 (Stale record), DC2 will remove Computer1 resource record as it will consider it as stale. This will not happen if you wait until Computer1 updates again its DNS record as its timestamp will be replicated and the resource record will not be considered as stale on DC2.


That is why zone can be scavenged after timestamp is used for DNS zones to start scavenging. It allows having enough time to refresh and replicate dynamic resource records before starting the scavenging.

You can see this timestamp in Zone Aging/Scavenging Properties if you enable the Advanced view.

How to identify when the next scavenging cycle will occur on a DNS server?

After a DNS scavenging cycle on a DNS server, one of the following events will be logged:

  • ID 2501: This is logged when there is DNS records that were scavenged
  • ID 2502: This is logged when no DNS record was scavenged

You need to get the date and time of the last DNS scavenging cycle and add the scavenging period to identify when the next DNS scavenging cycle will occur.

Example:


If the last DNS scavenging cycle occurred on 12/08/2013 6:00:00 PM and your scavenging period is seven (7) days then the next DNS scavenging cycle will on 12/15/2013 6:00:00 PM.

How many DNS servers should be used for DNS scavenging of AD-Integrated DNS zones?

A single DNS server with DNS scavenging enabled on it is enough to have the DNS scavenging properly done. Configuring DNS scavenging on many servers is usually not recommended as it makes troubleshooting DNS scavenging related issues (Example: Removal of legitimate DNS records) more complicated.

Is it possible to force manually a DNS scavenging cycle?

Yes, it is possible to run manually a DNS scavenging cycle. You just need to do a right-click on the DNS server level and then run Scavenge Stale Resource Records. Note that you need to wait zone can be scavenged after timestamp (previously discussed) to be reached to be able to run a DNS scavenging cycle manually.

What happens for the resource record AD object when scavenged?

When a resource record is scavenged, it will be deleted from the DNS server in-memory cache. This means that it is no longer loaded by DNS and no DNS resolution could be done for it. However, its AD object is not immediately removed. In fact, the resource record dNSTombstoned attribute will be set to TRUE on its AD object when it is scavenged.

On daily basis and at 2AM, the DNS server will do a scan on AD-integrated zones and identify whether tombstoned records are ready to be removed or not. By default, the retention period is seven (7) days but this can be changed by using dnscmd commands with /config /DsTombstoneInterval switch.

Dnscmd: http://technet.microsoft.com/en-us/library/cc772069.aspx

Remark: In case of an update of the resource record while the AD object is still not removed, dNSTombstoned attribute value will be changed to not set and the resource record will be loaded by DNS and will again be part of DNS in-memory cache. However, if the update is requested by a computer with a different SID (Example: a computer was re-installed and join again to the AD domain) then the existing AD object will be removed without waiting for the end of the retention period and a new one will be created.

Management of SIDs in Active Directory: http://social.technet.microsoft.com/wiki/contents/articles/20590.management-of-sids-in-active-directory.aspx

Customized permissions that are applied to DNS records are reset to the default value when these records are deleted and tombstoned on a Windows Server 2003-based DNS server: http://support.microsoft.com/kb/952087

The size of the Active Directory increases rapidly on a Windows Server 2003-based or Windows Server 2008 R2-based domain controller that hosts the DNS Server role: http://support.microsoft.com/kb/2548145/en-us

Is it possible to be informed about DNS records getting stale?

Yes, this could be done using Powershell. You can download the following DNS management module and use the following script to receive, by mail, the list of stale DNS records periodically: http://dnsshell.codeplex.com/

import-module "C:\DnsShell\DnsShell.psd1"

$smtpServer = "mail.contoso.com"

$mailsender = "notification@contoso.com"

$mailreceiver = "administrator@contoso.com"

$DNSzone = "insead.test"

$agedrecords = $null

$aging = (Get-DnsZone $DNSzone).NoRefreshInterval.TotalMilliseconds + (Get-DnsZone $DNSzone).RefreshInterval.TotalMilliseconds

foreach ($record in (Get-DnsRecord -ZoneName $DNSzone))

{

                if (($record.timestamp -ne "Static") -and ((Get-Date).Addmilliseconds((-1)*$aging) -ge $record.timestamp))

                {

                                $agedrecords += $record.name + "`r`n"

                                $record.name

                }

}

if ($agedrecords -ne $null)

{             

                $msg = new-object Net.Mail.MailMessage

                $smtp = new-object Net.Mail.SmtpClient($smtpServer)

                $msg.From = $mailsender

                $msg.To.Add($mailreceiver)

                $msg.Subject = "[Warning] New DNS records are now aged and will be removed during the next Scavenging Cycle"

                $msg.Body = $agedrecords

                $smtp.Send($msg)

}

You will need to update the following variables before using the script:

  • $smtpServer: Replace the variable value with your SMTP gateway DNS name or IP address
  • $mailsender: Replace the variable value with the notification sender e-mail address you want to use
  • $mailreceiver: Replace the variable value with the Active Directory Domain administrator e-mail address (You can specify a Distribution List e-mail address if the notification need to be sent to a group of persons)
  • $DNSzone: Replace the variable value with the name of the DNS zone to check

Remark: You need also to specify the path of the psd1 file to load (The one you download from the codeplex project). In the provided script the path is "C:\DnsShell\DnsShell.psd1".

The script can be scheduled to run periodically before each DNS scavenging cycle to report the stale DNS records.


Other references for DNS Aging and Scavenging:

Don't be afraid of DNS Scavenging. Just be patient: http://blogs.technet.com/b/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be-patient.aspx

DNS Scavenging internals (or what is the dnsTombstoned attribute) for AD Integrated zones: http://blogs.technet.com/b/isrpfeplat/archive/2010/09/23/dns-scavenging-internals-or-what-is-the-dnstombstoned-attribute-for-ad-integrated-zones-dstombstoneinterval-dnstombstoned.aspx