Recipe13.13.Scavenging Old Resource Records

Recipe 13.13. Scavenging Old Resource Records

Problem

You want to scavenge old resource records. DNS scavenging is the process whereby resource records are automatically removed if they are not updated after a period of time. Typically, this applies only to resource records that were added via DDNS, but you can also scavenge manually added records (or static records). DNS scavenging is a recommended practice (although disabled by default) so that your DNS zones are automatically kept clean of stale resource records.

Solution

The following solutions show how to enable automatic scavenging on all Active Directory-integrated zones.

Using a graphical user interface

1. From the Administrative Tools, open the DNS snap-in (dnsmgmt.msc).

2. Connect to the DNS Server you want to modify. In the left pane, right-click on DNS and select Connect to DNS Server. Select The following computer and enter the target server name. Click OK.

3. Click on the server, right-click on it, and select Set Aging/Scavenging for all zones.

4. Check the box beside Scavenge stale resource records.

5. Configure the No-Refresh and Refresh intervals as necessary and click OK.

6. Check the box beside Apply these settings to the existing Active Directory-integrated zones and click OK.

7. Right-click on the server again and select Properties.

8. Select the Advanced tab.

9. Check the box beside Enable automatic scavenging of stale resource records.

10. Configure the scavenging period as required.

11. Click OK.

Using a command-line interface

The following commands configure the various scavenging parameters I describe later in the Discussion section:

> dnscmd <ServerName> /config /ScavengingInterval <ScavengingMinutes> > dnscmd <ServerName> /config /DefaultAgingState 1 > dnscmd <ServerName> /config /DefaultNoRefreshInterval <NoRefreshMinutes> > dnscmd <ServerName> /config /DefaultRefreshInterval <RefreshMinutes>

The following command enables aging of records for a specific zone (so old records will eventually be scavenged):

> dnscmd <ServerName> /config <ZoneName> /aging 1

The following command enables aging for all primary zones on a server:

> dnscmd <ServerName> /config ..AllZones /aging 1

Using VBScript

' This code enables scavenging for all Active Directory-integrated zones ' ------ SCRIPT CONFIGURATION ------ strServer = "<ServerName>" intScavengingInterval = <ScavengingMinutes> intNoRefreshInterval  = <NoRefreshMinutes> intRefreshInterval    = <RefreshMinutes> ' ------ END CONFIGURATION --------- set objDNS = GetObject("winMgmts:\\" & strServer & "\root\MicrosoftDNS") set objDNSServer = objDNS.Get("MicrosoftDNS_Server.Name="".""")     objDNSServer.ScavengingInterval        = intScavengingInterval objDNSServer.DefaultNoRefreshInterval  = intNoRefreshInterval objDNSServer.DefaultRefreshInterval    = intRefreshInterval objDNSServer.DefaultAgingState         = TRUE objDNSServer.Put_ WScript.Echo "Configured server scavenging settings"     set objZones = objDNS.ExecQuery("Select * from MicrosoftDNS_Zone " & _                                 "Where DnsServerName = '" & _                                        objDNSServer.Name & "'" & _                                 "  And DsIntegrated = TRUE")  WScript.Echo "Configuring Active Directory-integrated zones: " for each objZone in objZones    WScript.Echo " " & objZone.Name & " HERE: " & objZone.Aging    objZone.Aging = 1    objZone.Put_ next

Discussion

There are four settings you must be aware of before enabling scavenging. Use caution when enabling scavenging because an incorrect configuration could lead to resource records getting deleted by mistake.

The first setting you need to configure is the scavenging interval. This is the interval in which the DNS Server kicks off the scavenging process. It is disabled by default so that scavenging does not take place unless you enable this setting. When enabled, the default value is 168 hours (7 days).

The second setting is the default aging state for new zones; if you want all new zones to be configured for scavenging, set this to 1.

The next two settings control how records get scavenged. The no refresh interval determines how long before a dynamically updated record can be updated again. This setting is necessary to reduce how often a DNS Server has to update its timestamp of the resource record. The default value is 168 hours (7 days). That means that after a resource record has been dynamically updated, the server will not accept another dynamic update for the same record for 7 days. If the IP address or some other data for the record changes sooner than 7 days, the server will process the update.

The refresh interval setting is the amount of time after the no refresh interval that a client has to update its record before it is considered old or stale. The default value for this setting is also 168 hours (7 days).

If you use the default values, the combination of the no refresh interval and refresh interval would mean that a dynamically updated record would not be considered stale for up to 14 days after its last update. In actuality, it could be up to 21 days before the record gets deleted if the record became stale right after the last scavenge process completed: 7 days (no refresh) + 7 days (refresh) + up to 7 days (scavenge process).