How to Configure DNS Aging and Scavenging (Cleanup Stale DNS Records)

by Robert Allen

In this tutorial, I’ll show you step by step instructions for setting up DNS aging and scavenging on Windows DNS Servers. 

What is DNS Aging and Scavenging? 

It is a Windows DNS Server feature that will automate the cleanup of stale dynamically registered DNS records.  

  • DNS Scavenging will only remove records based on their timestamp.
  • DNS scavenging will not remove statically configured records. These are records manually created or changed from DDNS to static. 
  • DNS scavenging is not enabled by default

Do I really need to enable DNS Scavenging? 

It depends, in small environments with little or no change it’s probably not a big deal. In medium to large environments I’d recommend turning this feature on, DNS can become a big mess and result in name resolution problems if stale DNS records are not cleaned up. 

How to Configure DNS Aging and Scavenging on Server 2016 

In this tutorial I’m using a Windows  2016 server, these steps will work on other server versions (2008 – 2019).

Step 1: Check Server DNS Records (Very Important First Step) 

If you don’t follow this step first you could end up deleting server DNS records and that would be very BAD. As a precaution, you may want to also backup your DNS server and or records. 

Scavenging works on timestamps, so any DNS record with a timestamp will get processed and possibly deleted. So I recommend you check your server DNS records and make sure they are static.

To check your records open the DNS console and check the Timestamp column, your servers should be set to static. 

You can see below my DHCP1 server has a timestamp and is not static. I will need to fix this.

The fix is simple just open the record then uncheck the box “Delete this record when it becomes stale” 

Now when I refresh my DNS console the timestamp shows static for this record. 

Check all your server records and change them to static before moving on to the next step. 

Step 2: Set Scavenging on the DNS Zone

1. Open the DNS Console

2. Right Click on the zone you want to enable scavenging on and click properties

3. Click the Aging button

4. Now click the box “Scavenge stale resource records” 

No-refresh interval is the amount of time that must elapse before a DNS client or DHCP server can refresh a timestamp for a record.

Refresh interval is the amount of time that a record is allowed to remain in the DNS database after its timestamp has been refreshed.

The combined duration of these two intervals determines how long a record can exist in the DNS database before it is scavenged. For example, above I have both intervals set to 7 days, this means a record can exist for up to 14 days before it is scavenged.

The combination of no-refresh interval and refresh interval should be equal to or less than your DHCP lease duration.

For example, if your DHCP lease duration is 14 days then you would set both intervals to 7 days.

If your DHCP lease duration is 8 days then you would set both intervals to 4 days.

That completes setting up aging for the zone. Now it needs to be turned on the server. 

Step 3: Set Scavenging/Aging on the DNS Server

1. Open the DNS Console 

2. Right click the DNS server

3. Click the “Advanced Tab” Then click “Enable automatic scavenging of state records”

That completes the setup of DNS aging and scavenging. 

Resources: 

How DNS Aging and Scavenging Works

The Ultimate Active Directory Toolkit

Learn More

28 thoughts on “How to Configure DNS Aging and Scavenging (Cleanup Stale DNS Records)”

  1. curious why you would make server records static in step 1? the dns clients on the servers update their own records just like workstations. isn’t that whole the point of aging/scavenging? so that when you retire or re-ip a machine, including a server, you don’t have to go manually clean up dns records?

    Reply
    • You can skip this step if you want to scavenge server DNS records. As servers can provide critical services, I prefer to manually clean up the DNS records (I include it in a checklist when decommissions a server).

      Reply
  2. Hi, same question that Sitaram Nayak, what happens to all other dynamic records?

    _msdsc, _services, _sites, _tcp, _udp, DomainDnsZones, ForestDnsZones etc.

    Are these records deleted when scavenging is executed?

    Thank you very much!

    Reply
  3. I have multiple DHCP scopes with leases set to 9 hours. What should my DNS scavenging – refresh – non-refresh times be set to?

    Reply
  4. In an AD-Integrated DNS zone, especially in large environments, should all servers be configured for scavenging or should you only configure one server for scavenging? I have 13 DNS servers that I am reconfiguring based on your article and I am wondering if I need to do these steps on all of them or just pick one to control scavenging.

    Reply
  5. I noticed that your dc1 and (same as parent folder) entries have the same IP (192.168.0.201) but dc1 is static while (same as parent folder) is dynamic is there a reason for that or should they both be static?

    Reply
  6. Hi,
    When scavenging will happen, will it process the active directory domain related records like domain controller records, Name Server(NS) records. There will be several folders within the domain zone like _msdsc, _services, _sites, _tcp, _udp, DomainDnsZones, ForestDnsZones etc. All of these will have records which has “Delete this record when it becomes stale” checked. So scavenging will process these records as well and if the time stamp is older then it will delete these as well? Do we need to set these records also to static before enabling scavenging on the DNS server?

    Thanks & Regards

    Reply
  7. On picture just above the secund step, is a row with 192.168.0.201 ip and that record will be deleted, if anyone start a scavange, em i right? What happens if executed, and that record disapear from the zone?

    Reply
    • I would have your workstations scopes be on the same lease period with exception if you have an imaging scope which should be much shorter. Printers and other devices don’t really matter.

      Reply
  8. Why not have it run daily for items 7 days old. If you have it run every 7 days and the no refresh is 7 days and the refresh is 7 days you are 21 days out.

    Reply
  9. In the non-refresh and refresh interval you set a period of 7 days because the DHCP lease period is 8 days. In the one of the resource i have used, solar winds, they say the combined period of non-refresh and refresh should be less or equal to the lease period. What is your opinion about this

    Reply
    • That’s exactly how you should do it: “non-refresh interval” plus “refresh interval” musn’t exceed the maximum DHCP lease period .

      Reply
      • So then you are saying the article here is incorrect because he has each interval set to 7 days. Meaning a combined period of 14 days, although the DHCP lease period is only 8 days?

        Reply
        • I’ve updated the article, it was incorrect.

          The combination of no-refresh interval and refresh interval should be equal to or less than your DHCP lease duration.

          Reply
          • The example in this guide focused on AD integrated zones. I cannot find any documentation/examples with non integrated zones. Do you see the Aging button on the zone general page?

      • Hello, so to clarify, setting both the NON refresh and refresh intervals to 7 would yield 7+7 = 14 which is greater then the DHCP lease time. Rather than 7 and 7, we would want 3 and then 4 or 4 and then 3 set for the non refresh and refresh time in days. Is that the correct setting for those 2 considering an 8 day DHCP lease time?

        Reply

Leave a Comment