In this tutorial, I’ll show you step by step instructions for setting up DNS aging and scavenging on Windows DNS Servers.
What is DNS Aging and Scavenging?
It is a Windows DNS Server feature that will automate the cleanup of stale dynamically registered DNS records.
- DNS Scavenging will only remove records based on their timestamp.
- DNS scavenging will not remove statically configured records. These are records manually created or changed from DDNS to static.
- DNS scavenging is not enabled by default
Do I really need to enable DNS Scavenging?
It depends, in small environments with little or no change it’s probably not a big deal. In medium to large environments I’d recommend turning this feature on, DNS can become a big mess and result in name resolution problems if stale DNS records are not cleaned up.
How to Configure DNS Aging and Scavenging on Server 2016
In this tutorial I’m using a Windows 2016 server, these steps will work on other server versions (2008 – 2019).
Step 1: Check Server DNS Records (Very Important First Step)
If you don’t follow this step first you could end up deleting server DNS records and that would be very BAD. As a precaution, you may want to also backup your DNS server and or records.
Scavenging works on timestamps, so any DNS record with a timestamp will get processed and possibly deleted. So I recommend you check your server DNS records and make sure they are static.
To check your records open the DNS console and check the Timestamp column, your servers should be set to static.
You can see below my DHCP1 server has a timestamp and is not static. I will need to fix this.
The fix is simple just open the record then uncheck the box “Delete this record when it becomes stale”
Now when I refresh my DNS console the timestamp shows static for this record.
Check all your server records and change them to static before moving on to the next step.
Step 2: Set Scavenging on the DNS Zone
1. Open the DNS Console
2. Right Click on the zone you want to enable scavenging on and click properties
3. Click the Aging button
4. Now click the box “Scavenge stale resource records”
No-refresh interval is the amount of time that must elapse before a DNS client or DHCP server can refresh a timestamp for a record.
Refresh interval is the amount of time that a record is allowed to remain in the DNS database after its timestamp has been refreshed.
The combined duration of these two intervals determines how long a record can exist in the DNS database before it is scavenged. For example, above I have both intervals set to 7 days, this means a record can exist for up to 14 days before it is scavenged.
The combination of no-refresh interval and refresh interval should be equal to or less than your DHCP lease duration.
For example, if your DHCP lease duration is 14 days then you would set both intervals to 7 days.
If your DHCP lease duration is 8 days then you would set both intervals to 4 days.
That completes setting up aging for the zone. Now it needs to be turned on the server.
Step 3: Set Scavenging/Aging on the DNS Server
1. Open the DNS Console
2. Right click the DNS server
3. Click the “Advanced Tab” Then click “Enable automatic scavenging of state records”
That completes the setup of DNS aging and scavenging.
Resources:
curious why you would make server records static in step 1? the dns clients on the servers update their own records just like workstations. isn’t that whole the point of aging/scavenging? so that when you retire or re-ip a machine, including a server, you don’t have to go manually clean up dns records?
You can skip this step if you want to scavenge server DNS records. As servers can provide critical services, I prefer to manually clean up the DNS records (I include it in a checklist when decommissions a server).
Hi, same question that Sitaram Nayak, what happens to all other dynamic records?
_msdsc, _services, _sites, _tcp, _udp, DomainDnsZones, ForestDnsZones etc.
Are these records deleted when scavenging is executed?
Thank you very much!
I have multiple DHCP scopes with leases set to 9 hours. What should my DNS scavenging – refresh – non-refresh times be set to?
In an AD-Integrated DNS zone, especially in large environments, should all servers be configured for scavenging or should you only configure one server for scavenging? I have 13 DNS servers that I am reconfiguring based on your article and I am wondering if I need to do these steps on all of them or just pick one to control scavenging.
Microsoft recommends enabling it on one DNS server.
Microsoft had a really good article on this but they removed it. Here is an archived link. https://web.archive.org/web/20160428150734/https://blogs.technet.microsoft.com/networking/2008/03/19/dont-be-afraid-of-dns-scavenging-just-be-patient/
I noticed that your dc1 and (same as parent folder) entries have the same IP (192.168.0.201) but dc1 is static while (same as parent folder) is dynamic is there a reason for that or should they both be static?
same as parent folder is an A record for the domain. It should be left alone, do not modify it.
Hi,
When scavenging will happen, will it process the active directory domain related records like domain controller records, Name Server(NS) records. There will be several folders within the domain zone like _msdsc, _services, _sites, _tcp, _udp, DomainDnsZones, ForestDnsZones etc. All of these will have records which has “Delete this record when it becomes stale” checked. So scavenging will process these records as well and if the time stamp is older then it will delete these as well? Do we need to set these records also to static before enabling scavenging on the DNS server?
Thanks & Regards
On picture just above the secund step, is a row with 192.168.0.201 ip and that record will be deleted, if anyone start a scavange, em i right? What happens if executed, and that record disapear from the zone?
And what do i need to do when i have multiple DHCP scopes with different lease periods? (ranging from 4 hours to 5 days)
I would have your workstations scopes be on the same lease period with exception if you have an imaging scope which should be much shorter. Printers and other devices don’t really matter.
Thanks for the info. its really nice
Why not have it run daily for items 7 days old. If you have it run every 7 days and the no refresh is 7 days and the refresh is 7 days you are 21 days out.
Thanks a lot for all
Vital Information!
If you don’t see the delete-when-stale tickbox, click on the View menu and make sure Advanced is enabled.
Good tip. Thanks Mike
Thank you!
In the non-refresh and refresh interval you set a period of 7 days because the DHCP lease period is 8 days. In the one of the resource i have used, solar winds, they say the combined period of non-refresh and refresh should be less or equal to the lease period. What is your opinion about this
That’s exactly how you should do it: “non-refresh interval” plus “refresh interval” musn’t exceed the maximum DHCP lease period .
So then you are saying the article here is incorrect because he has each interval set to 7 days. Meaning a combined period of 14 days, although the DHCP lease period is only 8 days?
I’ve updated the article, it was incorrect.
The combination of no-refresh interval and refresh interval should be equal to or less than your DHCP lease duration.
Hey Robert, Is this related to AD integrated DNS only or with out AD integrated also applicable .
The example in this guide focused on AD integrated zones. I cannot find any documentation/examples with non integrated zones. Do you see the Aging button on the zone general page?
Hello, so to clarify, setting both the NON refresh and refresh intervals to 7 would yield 7+7 = 14 which is greater then the DHCP lease time. Rather than 7 and 7, we would want 3 and then 4 or 4 and then 3 set for the non refresh and refresh time in days. Is that the correct setting for those 2 considering an 8 day DHCP lease time?
Thanks. Easy to follow and implement.
Thanks for healthy information. You make my day.