Back

Best Practices on Windows DNS Scavenging

Scavenging will help you clean up old unused records in DNS Since clean up really means delete stuff a good understanding of what you are doing ...

3 min read
Published on Mar 21, 2008
Best Practices on Windows DNS Scavenging

Scavenging will help you clean up old unused records in DNS.  Since “clean up” really means “delete stuff” a good understanding of what you are doing and a healthy respect for “delete stuff” will keep you out of the hot grease.  Because deletion is involved there are quite a few safety valves built into scavenging that take a long time to pop.  When enabling scavenging patience is required.  It will work just fine, but not today!

Note: For purposes of this discussion we are going to concentrate on the most common Windows DNS scenario: Windows Server 2003 DNS servers hosting AD integrated zones.

Scavenging is set in three places on a Windows Server:

  1. On the individual resource record to be scavenged.
  2. On a zone to be scavenged.
  3. At one or more servers performing scavenging.

It must be set in all three places or nothing happens.

Scavenging settings on a Resource Record

To see the scavenging setting on a record hit View | Advanced in the DNS MMC then bring up properties on a record.

Scavenging settings on a Resource Record Scavenging gets set on a resource record in one of three ways.  The first is by someone coming in here, checking the “Delete this record when it becomes stale” checkbox and hitting apply.  When you hit apply the time of day will be rounded down to the nearest hour and applied as the timestamp on the record.  Static records have a timestamp of 0 indicating do not scavenge.

The second is when a record gets created by a client machine registering using dynamic DNS.  Windows clients will attempt to dynamically update DNS every 24 hours.  All DDNS records get set to scavenge.  When a record is first created by a client that has no existing record it is considered an “Update” and the timestamp is set.  If the client has an existing host record and changes the IP of the host record this is also considered an “Update” and the timestamp is set.  If the client has an existing host record with the same IP address then this is considered a “Refresh” and the timestamp may or may not get changed depending on zone settings.  More on this later.

The third way to set scavenging on records is by using DNScmd.exe with the /ageallrecords switch.  Let’s pause here for a few moments to consider a few important words: All, Records, Delete, Stuff.  If you actually run this command against a zone it will truly set scavenging and a timestamp on all records in the zone including static records that you never want to be scavenged.  Because of the time it takes scavenging to do it’s thing people find this command and get tempted to give it a try.  Do not.  It will delete stuff.  Have patience instead.

Once a timestamp is set on a record it will replicate around to all servers that host the zone.  There is one caveat to this.  If scavenging is not enabled on the zone that hosts the record then it will never scavenge so the timestamp is essentially irrelevant.  The timestamp may get updated on the server where the client dynamically registers but it will not replicate around to the other servers in the zone.  

Read the rest of the article @> Microsoft Enterprise Networking Team : Don’t be afraid of DNS Scavenging. Just be patient.

This post has matured and its content may no longer be relevant beyond historical reference. To see the most current information on a given topic, click on the associated category or tag.

Related Posts

CMMC compliance for DoD contractors

CMMC Compliance Requirements for DoD Contractors and Subcontractors in the Defense Industry

CMMC compliance is mandatory for DoD contractors and subcontractors. Learn about certification levels, requirements, and the consequences of failing to meet compliance.

Apr 24, 2025
6 min read
How to prepare for a CMMC compliance audit

CMMC Compliance Audit Preparation: A Complete Checklist for Small Businesses

Preparing for a CMMC compliance audit is critical for DoD contractors. Use this checklist to perform a gap analysis, assess CMMC readiness, and prepare for a Level 2 assessment.

Apr 23, 2025
8 min read
FAR CUI vs CMMC Understanding

FAR CUI vs CMMC Understanding the Differences and Overlaps

FAR CUI and CMMC both focus on protecting sensitive federal data, but they have key differences. Learn how they work together and whether FAR CUI compliance aligns with CMMC.

Apr 15, 2025
10 min read
What Is a POAM?

What Is a POAM?

Learn how a Plan of Action and Milestones (POAM) helps meet NIST 800-171 & DFARS compliance. Understand its role in FedRAMP, security categorization, and risk mitigation.

Apr 8, 2025
8 min read
Best Cybersecurity Practices for Achieving CMMC Compliance

Best Cybersecurity Practices for Achieving CMMC Compliance

Achieving CMMC cybersecurity compliance requires strong security controls. Learn best practices for securing your IT environment, protecting CUI, and implementing MFA.

Apr 7, 2025
6 min read
8 Pranks for Windows 11 - Happy April Fools!

8 Pranks for Windows 11 - Happy April Fools!

Happy April Fools Day The day of the year when some IT staff think it might be humorous to do something to generate hundreds of support tickets for ...

Apr 1, 2025
3 min read

Ready to Secure and Defend Your Data
So Your Business Can Thrive?

Fill out the form to see how we can protect your data and help your business grow.

Loading...
Secure. Defend. Thrive.

Let's start a conversation

Discover more about Agile IT's range of services by reaching out.

Don't want to wait for us to get back to you?

Schedule a Free Consultation

Location

Agile IT Headquarters
4660 La Jolla Village Drive #100
San Diego, CA 92122

Secure. Defend. Thrive.

Don't want to wait for us to get back to you?

Discover more about Agile IT's range of services by reaching out

Schedule a Free Consultation