Two unique features of Windows Server DNS enable automated deletion of obsolete DNS records in Active Directory:
- DNS Aging – facilitates the determination of the age of a dynamically registered DNS record (the time difference between the last timestamp and the current time).
- DNS Scavenging – autonomously eliminates outdated dynamic DNS that hasn’t been used or updated for an extended period.
Windows Server DNS keeps two kinds of records – dynamic and static. Dynamic records come with a timestamp attribute (the instance at which the DNS record received its most recent update). Active Windows clients typically update the timestamp in their DNS records while starting up or every 24 hours. This feature enables the DNS server to pinpoint records that haven’t been updated for a substantial period, indicating that they have remained unused.
Open the DNS server management console on the AD domain controller (dnsmgmt.msc) and check the Advanced option in the View menu.
There are static and dynamic records among the zone DNS records (with time in the timestamp).
Static DNS records are not deleted automatically. Such DNS records are created by the administrator, or if the Delete this record when it becomes stale option is disabled in their settings.
Look closely at the dynamic entries in your DNS zone. Disable this option in the properties for any DNS records that should never be automatically deleted. The type of such a DNS record will change to static.
Ensure that static records are configured for all your servers, network devices, printers, scanners, and other network services.
The scavenging process automatically deletes only dynamic DNS records.
By default, automatic scavenging for stale DNS records is disabled in Windows Server.
Open your DNS zone properties and click the Aging button on the General tab.
- Check the option Scavenge stale resource records.
- The No-Refresh Interval parameter sets the time interval during which the timestamp of the DNS record will not be updated (reduces DNS server load and AD replication). However, if the computer’s hostname has changed, the DNS record will be updated successfully.
- Refresh Interval – this is a time during which the DNS record timestamp can be updated.
The value for the No refresh interval should be set to half of the IP address lease time set on your DHCP server. For example, if the IP address lease time on the DHCP server is 12 days, enter 6 here. In this case, the dynamic DNS record will be considered outdated and will be purged by the scavenging job after 12 days of inactivity.
By selecting the DNS server and clicking on Set Aging/Scavenging for All Zones, you can apply the aging settings to every primary DNS zone present on a domain controller.
For now, the only setting you’ve configured is the DNS record age for the zone. Unless you enable automatic cleanup in the DNS server settings, DNS records will not be deleted.
It’s advisable to export all the resource records in the DNS zone into a CSV file before initiating the DNS zone cleanup for the first time. If need be, this ensures that you can manually re-create crucial DNS records:
Get-DnsServerResourceRecord -ZoneName 'contoso.com' | Select-Object hostname, timestamp, recordtype, @{Name='RecordData';Expression={$_.RecordData.ipv4address}}| Export-CSV -Csv "C:tempBackupDNSZoneContoso.csv" -NoTypeInformation
Navigate to the Advanced tab within the DNS server properties.
Enable the Enable automatic scavenging of status records option and specify how many days after the DNS record is marked as obsolete by the aging mechanism it should be deleted (default is 7 days). After this, the Scavenging mechanism will automatically delete old DNS records once a day.
Right-click the DNS server and select Scavenging Stale Resource Records to perform the cleanup immediately. Or run the command:
Start-DnsServerScavenging -Verbose
The current DNS server scavenging settings and the time of the last cleanup can be obtained using PowerShell:
Get-DnsServerScavenging
NoRefreshInterval : 7.00:00:00RefreshInterval : 7.00:00:00
ScavengingInterval : 7.00:00:00
ScavengingState : False
LastScavengeTime : 4/2/2024 6:02:37 AM