Recipe 13.10 Scavenging Old Resource Records

13.10.1 Problem

You want to scavenge old resource records. DNS scavenging is the process whereby resource records are automatically removed if they are not updated after a period of time. Typically, this applies to only resource records that were added via DDNS, but you can also scavenge manually added, also referred to as static, records. DNS scavenging is a recommended practice so that your DNS zones are automatically kept clean of stale resource records.

13.10.2 Solution

The following solutions will show how to enable automatic scavenging on all AD-integrated zones.

13.10.2.1 Using a graphical user interface
  1. Open the DNS Management snap-in.

  2. If an entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select Connect to DNS Server. Select This computer or The following computer, enter the server you want to connect to (if applicable), and click OK.

  3. Click on the server, right-click on it, and select Set Aging/Scavenging for all zones.

  4. Check the box beside Scavenge stale resource records.

  5. Configure the No-Refresh and Refresh intervals as necessary and click OK.

  6. Check the box beside Apply these settings to the existing Active Directory-integrated zones and click OK.

  7. Right-click on the server again and select Properties.

  8. Select the Advanced tab.

  9. Check the box beside Enable automatic scavenging of stale resource records.

  10. Configure the scavenging period as necessary.

  11. Click OK.

13.10.2.2 Using a command-line interface
> dnscmd <DNSServerName> /config /ScavengingInterval <ScavengingMinutes>
> dnscmd <DNSServerName> /config /DefaultAgingState 1
> dnscmd <DNSServerName> /config /DefaultNoRefreshInterval <NoRefreshMinutes>
> dnscmd <DNSServerName> /config /DefaultRefreshInterval <RefreshMinutes>
> dnscmd <DNSServerName> /config ..AllZones /aging 1
13.10.2.3 Using VBScript
' This code enables scavenging for all AD-integrated zones
' ------ SCRIPT CONFIGURATION ------
strServer = "<DNSServerName>"
intScavengingInterval = <ScavengingMinutes>
intNoRefreshInterval  = <NoRefreshMinutes>
intRefreshInterval    = <RefreshMinutes>
' ------ END CONFIGURATION ---------

set objDNS = GetObject("winMgmts:\\" & strServer & "\root\MicrosoftDNS")
set objDNSServer = objDNS.Get("MicrosoftDNS_Server.Name="".""")

objDNSServer.ScavengingInterval        = intScavengingInterval
objDNSServer.DefaultNoRefreshInterval  = intNoRefreshInterval
objDNSServer.DefaultRefreshInterval    = intRefreshInterval
objDNSServer.DefaultAgingState         = TRUE
objDNSServer.Put_
WScript.Echo "Configured server scavenging settings"

set objZones = objDNS.ExecQuery("Select * from MicrosoftDNS_Zone " & _
                                "Where DnsServerName = '" & _
                                       objDNSServer.Name & "'" & _
                                "  And DsIntegrated = TRUE") 
WScript.Echo "Configuring AD-integrated zones: "
for each objZone in objZones
   WScript.Echo " " & objZone.Name & " HERE: " & objZone.Aging
   objZone.Aging = 1
   objZone.Put_
next

13.10.3 Discussion

There are four settings you need to be aware of before enabling scavenging. You must use caution when enabling scavenging because an incorrect configuration could lead to resource records getting deleted by mistake.

The first setting you have to configure is the scavenging interval. This is the interval in which the DNS server will kick off the scavenging process. It is disabled by default so that scavenging does not take place unless you enable this setting. The default value is 168 hours, which is equivalent to 7 days.

The second setting is the default aging state for new zones. If you want all new zones to be configured for scavenging, set this to 1.

The next two settings control how records get scavenged. The no refresh interval determines how long before a dynamically updated record can be updated again. This setting is necessary to reduce how often a DNS server has to update its timestamp of the resource record. The default value is 168 hours (7 days). That means that after a resource record has been dynamically updated, the server will not accept another dynamic update for the same record for another 7 days. If the IP address or some other data for the record changes, the server will accept that.

The refresh interval setting is the amount of time after the no refresh interval that a client has to update its record before it is considered old or stale. The default value for this setting is also 168 hours (7 days). If you use the default values, the combination of the no refresh interval and refresh interval would mean that a dynamically updated record would not be considered stale for up to 14 days after its last update. In actuality, it could be up to 21 days before the record is deleted if the record became stale right after the last scavenge process completed7 days (no refresh) + 7 days (refresh) + up to 7 days (scavenge process).



    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List