Don't be afraid of DNS Scavenging. Just be patient.

re: Don't be afraid of DNS Scavenging. Just be patient.

Joel Miller — Tue, 23 Sep 2008 20:15:50 GMT

Thanks very much for a well written explanation of the failsafes and timeframes involved in enabling scavenging.

re: Don't be afraid of DNS Scavenging. Just be patient.

hilde — Tue, 07 Oct 2008 16:09:29 GMT

Scavenging is one of the most complicated aspects of MS DNS. It isn't simple to predict what will happen or when it will happen. Personally, I think it should be enabled by default and set fairly aggressively but I'm jaded from my personal experience. GREAT info in the blog; VERY helpful! Keep up the posting - this stuff is sooo helpful to the troops in the field.

re: Don't be afraid of DNS Scavenging. Just be patient.

simon — Thu, 09 Oct 2008 15:16:30 GMT

during the sanity phase you advised to look at records older than refresh and no refresh interval, before checking Do I have to run scavenging manually from the GUI with the option "Scavenge stale resource record" ?

re: Don't be afraid of DNS Scavenging. Just be patient.

simon — Thu, 09 Oct 2008 15:17:35 GMT

Thanks indeed for the docs it is very helpfull

re: Don't be afraid of DNS Scavenging. Just be patient.

JoshJones — Wed, 15 Oct 2008 23:10:21 GMT

Simon,

When doing the sanity check you (the admin) are really in read-only mode. You are just looking through your records. If you've done the previous steps then records should be getting updated regularly via DDNS. This point is your last chance to catch anything that's not working before scavenging truly begins.

It's a tedious but important step. If you are managing large DNS zones then you could automate it to some degree by using DNScmd to export the zone then scrub it via script, Excel, or something similar.

Manually scavenging is often of little use. If scavenging is properly setup then it will work without intervention. If it is not properly setup then both automatic and manual attempts will fail. aka... "I'm hitting this 'scavenge now' button like a snare drum and nothing is happening. Why?" :)

Hilde,

I agree. The best way to do scavenging is to flip it on when the zone is first created and is still empty. Any RRs that appear in the zone from DDNS are obviously working ok. Any RRs that you create manually will have the scavenge checkbox cleared by default. Either way you are safe.

I'm not sure I would want the default settings to be more aggressive though. The 7 and 7 day intervals seem rather arbitrary at first but when you look at the default DHCP lease time of 8 days it makes more sense. DHCP attempts a renew at half the lease interval right? So 4 days + 2 days + 1 day = 3 attempts within a single 7 day interval.

Thanks for the feedback everyone!

-Josh

re: Don't be afraid of DNS Scavenging. Just be patient.

Brian Jester — Thu, 16 Oct 2008 22:40:23 GMT

I added a Host (A) record for my UNIX client (sunws1) and an Alias (CNAME) record (activedsvr) for the DC as the (Kerberos) KDC that my UNIX machine will authenticate to. After a week or so, I noticed I couldn't authenticate from the UNIX client to my DC, and all my DNS records I had added were gone - scavenged I believe. I only have one DC, and I'm not replicating to any other DC. It's a closed test network. I turned off scavenging, but why would I ever want my aliases and host records to disappear? Or is this only an issue when a system has only one (1) DC (and not replicating anywhere)?

re: Don't be afraid of DNS Scavenging. Just be patient.

JoshJones — Tue, 21 Oct 2008 22:10:19 GMT

Brian,

Scavenging is a solution for some problems that creep up when using dynamic DNS. When clients update their own records there are situations where incorrect or outdated records can be left behind. For example, mobile clients roaming between two DHCP servers can cause fits with the PTR records that some unix apps use for "client verification".

Scavenging will never delete a static record and you would never want it to.

If you created a static record and found it disappeared then either the scavenge checkbox got checked or a client came along and made an update to this record and in doing so flipped it from static to dynamic. Setting DNS to only accept secure dynamic updates will prevent this as the DDNS client will have no permissions to the record (barring use of the DNSupdateProxy group).

In the case of a Domain Controller (Microsoft KDC) it will continuously update it's records so even with scavenging they will not disappear. If for some reason the DC goes offline for an extended period then scavenging will take out the record just as you would want it to. It will reappear if the server ever comes up again.

-Josh

re: Don't be afraid of DNS Scavenging. Just be patient.

Simon — Wed, 29 Oct 2008 11:52:03 GMT

Thanks for this usefull reply. I've got a question about record ownership in DNS. When I try to see whom is the owner of a dynamic record, the owner tab always display "SYSTEM" on the "current owner of this item:" field. Is that correct ?

re: Don't be afraid of DNS Scavenging. Just be patient.

Hermann — Mon, 17 Nov 2008 11:42:57 GMT

Thank you, great article! Only one correction. We had a problem with the "Setup Phase". You wrote

1. ... DNSCmd /ZoneResetScavengeServers can be used ...

2. Turn on scavenging on the zones ...

But the command in (1.) does not work before scavenging in turned on at the zone level.

Otherwise:

Error, failed reset of scavenge servers on zone rsint.net. Status = 9611

Command failed: DNS_ERROR_INVALID_ZONE_TYPE 9611

We opened a call at microsoft and they told us we have to enable scavenging on the zone first. Not logical but that's it!

Hermann

re: Don't be afraid of DNS Scavenging. Just be patient.

Derick — Wed, 26 Nov 2008 17:28:24 GMT

Very good explanation, especially compared to other articles including Microsoft Technet. Thank you.

re: Don't be afraid of DNS Scavenging. Just be patient.

Tony — Thu, 11 Dec 2008 20:43:33 GMT

Does anyone know of a CD/DVD step-by-step video instruction on DNS? I am a visual person and feel more comfortable.

re: Don't be afraid of DNS Scavenging. Just be patient.

Bill — Fri, 12 Dec 2008 00:59:07 GMT

Should I set all of the DNS records (servers, etc.) to no refresh, i.e., no to delete this record when it becomes stale?

How do we know what got killed?

banduraj — Mon, 15 Dec 2008 20:36:03 GMT

I, personally, would perfer just a little more info out of the 2501 events. Aside from doing an export of the zones before and after, I have no way of telling what got axed. Are there any methods to getting some kind of report as to what zones got scavenged?

re: Don't be afraid of DNS Scavenging. Just be patient.

Tom — Tue, 30 Dec 2008 23:11:42 GMT

Very well written and informative. Thanks.

Another tidbit; If you want to test by manualy starting the Scavenge process, you can "Scavenge Stale Resource Records" from the Action menu. The system will only allow you to do this once very 30 minutes.

re: Don't be afraid of DNS Scavenging. Just be patient.

jdanoviz — Fri, 16 Jan 2009 02:39:16 GMT

Super important before enabling DNS Scavenging is to verify that the DHCP Client Service for DCs and all important member servers is up and runnning!

If not A and PTR records will not be refreshed (Note: this DNS registration function has been moved to the DNS Client in Windows 2008), you'll have all SRV records for DCs thanks to the Netlogon Service but without the A records they will end up being useless...

This is another known reason for "I woke up this morning, and my Active Directory (and/or critical servers) was sitting in a corner rocking back and forth crying. What happened?"

re: Don't be afraid of DNS Scavenging. Just be patient.

dougga — Fri, 16 Jan 2009 07:11:22 GMT

Either I didn't see it, or it isn't in the write up. IIRC the scavenging server resets its timer for the scavenging event on reboot or restart of DNS service. Which would meen the 2501/2502 may not be a valid gauge of the next scavenging event. Is that true?

re: Don't be afraid of DNS Scavenging. Just be patient.

Raj — Fri, 23 Jan 2009 11:51:38 GMT

In manual and auto scavenging we will not be knowing what are the records get deleted.

How to check what are all the records will get scavenged before starting manual scavenging of stale records. Any command or Script?

re: Don't be afraid of DNS Scavenging. Just be patient.

Josh — Tue, 03 Feb 2009 22:20:57 GMT

We enabled scavenging last Thursday and it is scheduled to scavenge for its first time after 7 days. In the meantime we found that our printers had A-Host records that had their box checked for scavenge stale. Since we use DHCP mac-reservations for these printers they have not been updating the DNS record, thus are stale. We have since unchecked that box on all printers, however I am not sure whether or not the list of scavenged items was already marked last Thursday when we enabled scavenging, or if it waits until this Thursday and rechecks all records prior to its sweep action. Does anyone know? Thx

re: Don't be afraid of DNS Scavenging. Just be patient.

dougga — Mon, 09 Feb 2009 06:11:51 GMT

Josh, So the scavening service will not check the "delete when stale" check box. So if you have manaually unchecked static records they are safe from scavenging.

You can run DNSCMD /zoneExport zonename

This sends a text folder to system32/dns folder and all records that are marked for deletion (aging) have the word Age in the text output. You should then be able to parse through the data realatively easily to find the static records.

re: Don't be afraid of DNS Scavenging. Just be patient.

dougga — Mon, 09 Feb 2009 06:13:25 GMT

To answer my own question above I setup a lab with a 2 day setting on the savenging server and ran a scheduled task to restart DNS once a day.

Scavening ceased to occur.

So as far as I can tell a restart of DNS (reboots count) resets the counter for scavenging.

Optimizing your network to keep your DNS squeaky clean

Microsoft Enterprise Networking Team — Mon, 09 Feb 2009 23:55:52 GMT

I have run into this issue several times: My customer has a fairly large network, with several subnets.

re: Don't be afraid of DNS Scavenging. Just be patient.

Arvid Carlander — Thu, 19 Feb 2009 13:10:47 GMT

I am about to enable scavenging on a large domain at zone level following the advice in this article. In preparation, I need to disable scavenging at DC level using the dnscmd /zoneresetscavengeservers command to prevent the risk of some DC already being configured to scavenge.

As previously commented, this can only be done if the zone is enabled for scavenging.

How do I get past this hurdle? If I enable scavenging in the zone now, there will be a risk of records being scavenged before their current timestamps are replicated.

The only option I can see is to manually go through all DCs and until scavenging.

Any ideas?

re: Don't be afraid of DNS Scavenging. Just be patient.

stevo — Fri, 20 Feb 2009 22:47:44 GMT

As noted above, does a static DSN record get scavenged if it is set to be delete for becoming stale? If so how can we make static DNS entries never get touched?

re: Don't be afraid of DNS Scavenging. Just be patient.

PEP — Tue, 24 Feb 2009 16:09:25 GMT

Great article.. But in my DNS i can see the serveres with static IP adresses haven't got a recent time stamp. If I manually run ipconfig /registerdns on one of these serveres the timestamp is updated. How can I make sure that my records for serveres with static IP adresses wont get scavenged??? And why is the timestamp not updating - seems to have the date when the static IP adress was configured???

re: Don't be afraid of DNS Scavenging. Just be patient.

PEP — Tue, 24 Feb 2009 16:15:34 GMT

Great article - but in my DNS i have records from servers with static IP adresses that dosn't have a current timestamp. If i manually run ipconfig /registerdns the timestamp is updated correctly. It seems the timestamp is from when the machine first had a static IP adress. Why isn't the timestamp updated on serveres with static IP's and how can I avoid these records from being scavenged (without manually clearing the "Scavenge this record" check box)??

re: Don't be afraid of DNS Scavenging. Just be patient.

mikem — Tue, 24 Feb 2009 17:28:44 GMT

I believe static records do not get a timestamp and the "Delete this record when it becomes stale" box checked

There is a way to export the DNS zone to see the timestamp and flags for each record. I can't remember where but should be easy to find by a search

re: Don't be afraid of DNS Scavenging. Just be patient.

stevo — Wed, 25 Feb 2009 16:35:23 GMT

PEP,

Where are you seeing this timestamp? The DNS record isn't timestamped unless you have "Delete this record when it becomes stale" box checked.

re: Don't be afraid of DNS Scavenging. Just be patient.

stevo — Wed, 25 Feb 2009 23:54:30 GMT

TO export you can right click on the zone and click on export. This will create a .csv file or .txt to c:windows\system32\dns\backup.

re: Don't be afraid of DNS Scavenging. Just be patient.

Lee — Wed, 11 Mar 2009 18:15:33 GMT

Is there coresponding dnscmd option (or other tool) available to do Uncheck "Delete this record when it becomes stale" for my serveal hundreds servers (that were checked by defaul when the records were created)?

re: Don't be afraid of DNS Scavenging. Just be patient.

Thomas — Thu, 23 Apr 2009 23:44:37 GMT

I have a question:

What is the best configuration for a environment with many VPN connected clients?

My problem are double dns entries.

I am very interessted at the following values(days or hours??):

non-refresh:

refresh:

Scavenging:

DHCP lease:

re: Don't be afraid of DNS Scavenging. Just be patient.

Ed — Thu, 07 May 2009 17:06:00 GMT

Hi guys,

What's the process for checking the age of DNS records? I've exported the DNS data to a text file but it states "[AGE:3579465]" on all records, what does this mean and how do interpret this numbers?

Also I can't find a way of distinguishing between dynamic and static DNS entries, how can I confirm a static entry?

Thanks in advance.

AGE Calculation

Craig — Fri, 29 May 2009 23:31:31 GMT

The AGE is calculated by adding the age number (which is number of hours) to the date 1/1/1601..

So in C# you can calculate it like this..

DateTime rootTime = new DateTime(1601, 1, 1);

DateTime expires = rootTime.AddHours(age);

re: Don't be afraid of DNS Scavenging. Just be patient.

Milan Banjac — Thu, 11 Jun 2009 16:05:19 GMT

Hi Everyone,

This is a great blog post and explains a lot of things, but I have a problem I am not able to resolve.

It is said that in "Sanity Check" phase, most important step is to check for old Time Stamps for records. I found a script and exported Time Stamp information from one of the DCs, only to find out that if I export from another DC, Time Stamp data is different.

As it happens, Time Stamp info is not replicated between DCs if the zone is not set to be Aging.

How can I check my records if I have a lot of DCs (DNS servers) in different locations/AD sites, and DDNS process works on all of these servers?

How can I be sure what will be deleted, and which server should I choose to perform scavenging?

Thank you.

Answer to Ed

Milan Banjac — Thu, 11 Jun 2009 16:09:35 GMT

Ed,

Here is the script for exporting Time Stamp information from your DNS server:

On Error Resume Next

Const SERVER_NAME = "<DNSServer>"

Const DOMAIN_NAME = "<DomainNameToQuery>"

Const WBEM_RETURN_IMMEDIATELY = &h10

Const WBEM_FORWARD_ONLY = &h20

Set objWMIService = GetObject("winmgmts:\\" & SERVER_NAME & "\root\MicrosoftDNS")

Set colItems = objWMIService.ExecQuery("SELECT * FROM MicrosoftDNS_AType", "WQL", _

WBEM_RETURN_IMMEDIATELY + WBEM_FORWARD_ONLY)

For Each objItem In colItems

If InStr(1, objItem.DomainName, DOMAIN_NAME, VbTextCompare) > 0 Then

WScript.Echo "DnsServerName: " & objItem.DnsServerName

WScript.Echo "DomainName: " & objItem.DomainName

WScript.Echo "Name: " & objItem.OwnerName

WScript.Echo "IPAddress: " & objItem.IPAddress

If objItem.TimeStamp > 0 Then

WScript.Echo "Timestamp: " & DateAdd("h", objItem.TimeStamp, "1/1/1601 00:00:00 AM")

Else

WScript.Echo "Timestamp: Not Set"

End If

WScript.Echo

End If

re: Don't be afraid of DNS Scavenging. Just be patient.

Milan Banjac — Fri, 12 Jun 2009 16:22:48 GMT

Question regarding Sanity Check (the most important step):

We have a lot of DCs which are DNS servers, and the Time Stamp data for records is not the same on all servers, since this information is not replicated before enabling Aging and Scavenging.

How can we make sure that no important Host record will be deleted, when we have inconsistent time stamps among different DNS servers?

re: Don't be afraid of DNS Scavenging. Just be patient.

Joe Lewko — Mon, 29 Jun 2009 21:17:34 GMT

Milan,

I have the same question, I see inconsistent record time stamps across my DNS servers. Even after forcing replication across the Active Directory Integrated Zone.

If anybody has info on why, or how to fix, would appreciate it.

re: Don't be afraid of DNS Scavenging. Just be patient.

Robert Buckmaster — Wed, 08 Jul 2009 19:46:34 GMT

Would sure be nice to know WHICH records were removed and WHY in the default logging. Presumably we can get this info with debug logging, but who runs debug logging on their DNS servers 24/7?

Twice now I've had ACTIVE systems purged from DNS by scavenging. Yes, upon reboot the system will re-register its record, but the business process that access these systems via DNS 24/7 FAIL until the record is manually recreated or the system is rebooted. FLAWED DESIGN!!

re: Don't be afraid of DNS Scavenging. Just be patient.

Amarnath — Thu, 23 Jul 2009 10:31:33 GMT

Hi,

really its a great article about DNS scavenging.

I need help.

We are trying to understand why our AD is growing compare to last year.

When we ran ADRAP tool it shows the DNS nodes (30010)

Tombstoned DNS nodes (200001) toal (230011)

this might be because of low scavening / aging value set

what will be best scavenging time set to have other than default settings

Server properties is set to Default 7 days

no-refresh interval set to 2 days

refresh set to 2 days

DHCP lease is 8 hrs.

can anyone please suggest me what will be the best settings for our environment (as DHCP lease is 8 hrs keeping in mind)

Thanks in advance

re: Don't be afraid of DNS Scavenging. Just be patient.

miked — Wed, 26 Aug 2009 18:32:58 GMT

Great article.

I'd recommend that you export DNS records to Excel and examine their timestamps during the sanity check phase. There are excellent instructions on how to do this here:

http://blogs.technet.com/networking/archive/2008/05/21/export-dns-records-to-excel-to-read-time-stamps-and-static-records.aspx

This will allow you to determine exactly which records will be deleted by the scavenging process.

re: Don't be afraid of DNS Scavenging. Just be patient.

John — Wed, 16 Sep 2009 18:53:54 GMT

so the big question here is how can you log the records that were scavenaged? I get a 2501 stating x records or nodes scavenged, is there a way to log all the records that were removed?