Deep Dive: DNS Scavenging (DNS 枅理机制)

Topic: Windows DNS Scavenging & Aging
Category: Networking / DNS
Level: 䞭级 / Intermediate
Last Updated: 2026-03-13

䞭文版

1. 抂述 (Overview)

DNS ScavengingDNS 枅理/老化枅陀是 Windows DNS Server 内眮的䞀套自劚枅理过期 DNS 记圕的机制。圚劚态 DNS (DDNS) 环境䞭客户端䌚自劚泚册自己的 A 记圕和 PTR 记圕。䜆圓客户端被移陀、关机、曎换 IP 后这些旧记圕䞍䌚自劚消倱久而久之 DNS 区域䞭就䌚堆积倧量”僵尞记圕”Stale Records。

Scavenging 就是解决这䞪问题的它像䞀䞪定时枅掁工定期检查所有记圕的”时闎戳”把过期倪久、没有被客户端刷新的记圕删掉。

䜆是由于删陀 DNS 记圕是䞀件高风险操䜜删错了可胜富臎服务䞭断Windows 圚 Scavenging 䞭讟计了倚层安党阀闚需芁圚䞉䞪地方郜正确配眮才胜生效

  1. 资源记圕 (Resource Record) — 记圕本身芁有时闎戳
  2. 区域 (Zone) — 区域芁启甚 Aging/Scavenging
  3. 服务噚 (Server) — 至少䞀台 DNS 服务噚芁启甚自劚枅理

🔑 䞀句话总结䞉䞪地方郜匀了Scavenging 才胜工䜜。少了任䜕䞀䞪过期记圕郜䞍䌚被删。

2. 栞心抂念 (Core Concepts)

2.1 时闎戳 (Timestamp)

每条 DNS 记圕郜有䞀䞪时闎戳字段记圕它最后䞀次被”刷新”或”曎新”的时闎。

  • 劚态泚册的记圕自劚有时闎戳Windows 客户端默讀每 24 小时向 DNS 泚册䞀次
  • 静态记圕管理员手劚创建的时闎戳䞺 0衚瀺氞䞍枅理
  • 时闎戳粟床䞺小时向䞋取敎到最近的敎点

🏠 类比时闎戳就像酒店房闎的”退房时闎”。每次客人客户端续䜏刷新记圕退房时闎就曎新。劂果客人走了再也䞍来续䜏过了退房时闎就䌚被枅理。

2.2 No-Refresh 闎隔䞍刷新闎隔

No-Refresh Interval默讀 7 倩是䞀䞪犁止刷新的窗口期。圚这段时闎内即䜿客户端尝试刷新记圕时闎戳也䞍䌚曎新。

䞺什么需芁这䞪 因䞺时闎戳变化 = AD 倍制流量。劂果每䞪客户端每 24 小时刷新䞀次记圕每次刷新郜改变时闎戳就䌚产生倧量䞍必芁的 AD 倍制。No-Refresh 闎隔就是甚来减少倍制流量的。

🏠 类比No-Refresh 就像酒店诎”入䜏前 7 倩内䞍甚打电话确讀我们知道䜠䜏着呢”。

2.3 Refresh 闎隔刷新闎隔

Refresh Interval默讀 7 倩玧接圚 No-Refresh 之后。这䞪窗口期内客户端可以䞔应该来刷新时闎戳。

劂果圚 Refresh 窗口期结束时客户端仍然没有刷新记圕该记圕就变成“可枅理”Eligible for Scavenging。

🏠 类比Refresh 闎隔就是酒店给䜠的”续䜏确讀期”。7 倩内䜠需芁打电话诎”我还䜏着”吊则酒店就讀䞺䜠走了。

2.4 Scavenging 呚期枅理呚期

这是 DNS 服务噚倚久执行䞀次枅理操䜜默讀 7 倩。即䜿记圕已经”可枅理”了也芁等到服务噚䞋䞀次运行 Scavenging 时才䌚被真正删陀。

2.5 Update vs Refresh

这是䞀䞪非垞容易混淆的栞心抂念

操䜜 含义 是吊受 No-Refresh 限制
Update曎新 记圕的数据变了劂 IP 地址改变 ❌ 䞍受限任䜕时候郜可以
Refresh刷新 记圕数据没变只是”续呜”曎新时闎戳 ✅ 受限No-Refresh 期闎被拒绝

3. 工䜜原理 (How It Works)

3.1 敎䜓架构

┌──────────────────────────────────────────────────────────┐
│                    DNS Scavenging 䞉层架构                  │
├───────────────────────────────────────────────────────────
│                                                          │
│   Layer 1: Resource Record资源记圕                      │
│   ┌─────────────────────────────────────┐               │
│   │ Record: app-server01.contoso.com    │               │
│   │ IP: 10.1.1.100                      │               │
│   │ Timestamp: 2026/03/01 10:00:00      │  ← 时闎戳     │
│   │ [x] Delete when stale               │               │
│   └─────────────────────────────────────┘               │
│                                                          │
│   Layer 2: Zone区域                                    │
│   ┌─────────────────────────────────────┐               │
│   │ Zone: contoso.com                   │               │
│   │ [x] Scavenge stale resource records │  ← 启甚枅理    │
│   │ No-Refresh: 7 days                  │               │
│   │ Refresh:    7 days                  │               │
│   │ Zone can be scavenged after:        │               │
│   │   2026/03/08 10:00:00               │  ← 安党阀     │
│   └─────────────────────────────────────┘               │
│                                                          │
│   Layer 3: Server服务噚                                 │
│   ┌─────────────────────────────────────┐               │
│   │ Server: dns-srv01.contoso.com       │               │
│   │ [x] Enable automatic scavenging     │  ← 启甚自劚    │
│   │ Scavenging period: 7 days           │               │
│   └─────────────────────────────────────┘               │
│                                                          │
└──────────────────────────────────────────────────────────┘

3.2 完敎生呜呚期 — 甚䞀䞪故事讲枅楚

假讟公叞 contoso.com 的环境

  • No-Refresh 闎隔7 倩
  • Refresh 闎隔7 倩
  • Scavenging 呚期7 倩

䞀台笔记本 laptop01.contoso.comIP: 10.1.1.50的 DNS 记圕䞀生

时闎线 (Timeline)
═══════════════════════════════════════════════════════════════

Day 0 (3月1日): 笔记本匀机通过 DDNS 泚册记圕
├── 记圕创建: laptop01.contoso.com → 10.1.1.50
├── 时闎戳讟眮䞺: 3月1日 09:00
└── 这是䞀次 "Update"新建记圕

Day 1-7 (No-Refresh 窗口):
├── 笔记本每倩尝试泚册每24h䞀次
├── DNS 服务噚诎"No-Refresh 期闎䞍曎新时闎戳"
├── 时闎戳保持: 3月1日 09:00
└── 奜倄减少 AD 倍制流量 ✓

Day 8-14 (Refresh 窗口):
├── 进入 Refresh 期闎现圚刷新被允讞了
├── Day 8: 笔记本泚册 → 时闎戳曎新䞺 3月8日 09:00  ✓
├── Day 9-14: 又进入新的 No-Refresh 呚期...
└── 时闎戳现圚是: 3月8日 09:00

Day 15: 笔记本被员工垊走了再也䞍匀机
├── 没人来刷新这条记圕了
├── No-Refresh 窗口 (Day 8-14) 正垞过去
└── 时闎戳冻结圚: 3月8日 09:00

Day 15-21 (Refresh 窗口䜆没人来):
├── 记圕进入 Refresh 期等埅客户端来刷新
├── ......没人来......
└── Day 22: Refresh 窗口结束

Day 22: 记圕变䞺 "可枅理" (Eligible for Scavenging)
├── 圓前时闎 > 时闎戳(3/8) + No-Refresh(7倩) + Refresh(7倩)
├── 即: 3月22日 > 3月8日 + 14倩 ✓
└── 䜆是记圕还没被删芁等 Scavenging 执行

Day 22-28: 等埅 Scavenging 执行
├── 假讟䞊䞀次 Scavenging 圚 Day 21 执行过
├── 呚期是 7 倩䞋次圚 Day 28
└── 

Day 28: DNS 服务噚执行 Scavenging
├── 扫描所有记圕
├── 检查 laptop01: 时闎戳 3/8 + 14倩 = 3/22已过期 ✓
├── 删陀记圕🗑
├── Event ID 2501: "X records scavenged"
└── laptop01.contoso.com 的记圕正匏消倱

═══════════════════════════════════════════════════════════════
总耗时记圕最后䞀次刷新后至少 14倩 + 最倚7倩 = 14~21 倩才䌚被删
       䜿甚默讀讟眮时可胜需芁 14~21 倩

3.3 Eligible 之后、删陀之前 — 客户端还胜”续呜”吗

这是䞀䞪非垞关键䜆容易被応视的场景圓记圕已经变䞺 Eligible可枅理䜆 Scavenging 还没执行时客户端突然回来泚册了䌚怎样

答案是可以刷新记圕䌚被”救回来”敎䞪呚期重新匀始。

时闎线 (假讟党郚 7 倩闎隔)
═════════════════════════════════════════════════════

Day 0:  时闎戳 = 3月1日
        ├── No-Refresh 匀始 (Day 0-7)
        │
Day 7:  No-Refresh 结束
        ├── Refresh 窗口匀始 (Day 7-14)
        │   客户端可以刷新䜆没来...
        │
Day 14: Refresh 窗口结束
        ├── 记圕变䞺 "Eligible"可枅理
        │   䜆还没被删等 Scavenging 执行
        │
Day 14-21: 等埅 Scavenging 执行最倚7倩
        │
        │  ★ Day 17: 客户端突然回来了发送 DDNS 泚册
        │  ├── 服务噚检查圓前倄于 No-Refresh 吗
        │  ├── No-Refresh 是基于旧时闎戳(3/1) + 7倩 = 3/8
        │  ├── 现圚是 Day 17 (3/18)早就过了 No-Refresh
        │  ├── → 刷新被接受✅
        │  └── 时闎戳曎新䞺3月18日 ← 党新的时闎戳
        │
        │  接䞋来䌚怎样
        │  ┌──────────────────────────────┐
        │  │ 新时闎戳 = 3月18日            │
        │  │ + No-Refresh 7倩 = 3月25日    │
        │  │ + Refresh 7倩 = 4月1日        │
        │  │                              │
        │  │ 记圕䞍再 Eligible            │
        │  │ 敎䞪呚期重新匀始 🔄            │
        │  └──────────────────────────────┘
        │
Day 21: Scavenging 执行时
        ├── 检查该记圕时闎戳 = 3/18已被刷新
        ├── 3/18 + 14倩 = 4/1还没过期
        └── 跳过记圕存掻 ✅

Eligible 期闎䞍同操䜜的结果

情况 结果
Eligible 期闎客户端回来刷新Refresh ✅ 时闎戳曎新呚期重启记圕被救
Eligible 期闎客户端曎换了 IPUpdate ✅ 这是 Update任䜕时候郜允讞时闎戳也曎新
Eligible 期闎没人来 → Scavenging 执行 🗑 记圕被删陀

💡 讟计思想Scavenging 䞍是”䞀旊 Eligible 就立刻删”而是有䞀䞪猓冲期等埅 Scavenging 呚期到来。圚这段猓冲期内客户端仍有机䌚”续呜”。这也是䞺什么 No-Refresh 的刀断是基于记圕圓前时闎戳而非区域的固定时闎窗口 — 旧时闎戳的 No-Refresh 早已过期所以刷新请求䌚被接受。

3.4 Scavenging 执行时的检查枅单

圓 DNS 服务噚启劚䞀次 Scavenging 时它按以䞋顺序检查

Scavenging 执行流皋
═══════════════════

匀始 Scavenging
    │
    ▌
[1] 区域是吊启甚了 Scavenging ─── 吊 ──→ 跳过该区域
    │ 是
    ▌
[2] 区域是吊启甚了劚态曎新 ─── 吊 ──→ 跳过该区域
    │ 是
    ▌
[3] 圓前服务噚是吊有权枅理该区域 ─── 吊 ──→ 跳过
    │ 是                   (dnscmd /zoneresetscavengeservers)
    ▌
[4] "Zone can be scavenged after" 
    时闎是吊已过 ─── 吊 ──→ 跳过给客户端和倍制留时闎
    │ 是
    ▌
[5] AD 倍制是吊正垞 ─── 吊 ──→ 跳过防止误删
    │ 是
    ▌
  ┌─────────────────────────────────┐
  │ 逐条检查区域内的每条记圕        │
  │                                 │
  │ 记圕时闎戳 = 0                 │
  │ ├── 是 → 静态记圕跳过          │
  │ └── 吊 ↓                        │
  │                                 │
  │ 圓前时闎 > 时闎戳                 │
  │         + No-Refresh             │
  │         + Refresh              │
  │ ├── 吊 → 记圕未过期跳过        │
  │ └── 是 → 删陀该记圕🗑          │
  └─────────────────────────────────┘
    │
    ▌
记圕 Event Log:
  - Event ID 2501: 有记圕被枅理
  - Event ID 2502: 没有记圕被枅理

3.5 䞀䞪具䜓的时闎计算䟋子

让我们甚䞀䞪曎具䜓的数字来做计算

环境讟眮

  • No-Refresh 闎隔3 倩
  • Refresh 闎隔3 倩
  • 服务噚 Scavenging 呚期3 倩
  • 䞊䞀次 Event ID 2501/25021月1日 6:00 AM
  • 记圕时闎戳1月1日 12:00 PM䞭午

计算过皋

记圕时闎戳:        1月1日 12:00 PM
+ No-Refresh (3倩): 1月4日 12:00 PM   ← 这之前䞍允讞刷新
+ Refresh (3倩):    1月7日 12:00 PM   ← 这之后记圕"可枅理"

记圕变䞺 Eligible: 1月7日 12:00 PM

䞊次 Scavenging:    1月1日 6:00 AM
+ 呚期 (3倩):       1月4日 6:00 AM    ← 第二次
+ 呚期 (3倩):       1月7日 6:00 AM    ← 第䞉次 (还早于 12:00 PM)
+ 呚期 (3倩):       1月10日 6:00 AM   ← 第四次 ✓ 歀时记圕已经 eligible

∎ 记圕被删陀时闎: 纊 1月10日 6:00 AM

从时闎戳到实际被删陀纊 9 倩。

4. 关键配眮䞎参数 (Key Configurations)

配眮项 默讀倌 䜍眮 诎明 建议
记圕时闎戳 劚态记圕自劚讟眮静态䞺 0 记圕属性 最后刷新/曎新时闎 䞍芁对静态记圕启甚 scavenging
No-Refresh Interval 7 倩 Zone → Aging 犁止刷新的时闎窗口 可适圓猩短劂 3-4 倩以加快枅理
Refresh Interval 7 倩 Zone → Aging 允讞刷新的时闎窗口 保持默讀或皍长给客户端足借机䌚
Scavenge stale records ❌ 未启甚 Zone → Aging 区域级匀关 按需启甚
Enable automatic scavenging ❌ 未启甚 Server → Advanced 服务噚级匀关 只圚 1 台 DNS 服务噚䞊启甚
Scavenging Period 7 倩 Server → Advanced 倚久执行䞀次 侎 Refresh 闎隔䞀臎或曎短

PowerShell 配眮呜什

# 查看区域的 Aging 讟眮
Get-DnsServerZoneAging -Name "contoso.com"

# 启甚区域 Aging
Set-DnsServerZoneAging -Name "contoso.com" -Aging $true -NoRefreshInterval 7.00:00:00 -RefreshInterval 7.00:00:00

# 启甚服务噚 Scavenging
Set-DnsServerScavenging -ScavengingState $true -ScavengingInterval 7.00:00:00

# 手劚觊发 Scavenging仍受安党阀限制
Start-DnsServerScavenging

# 查看特定记圕的时闎戳
Get-DnsServerResourceRecord -ZoneName "contoso.com" -Name "laptop01" | Select-Object HostName, Timestamp, TimeToLive

# 限制只允讞特定服务噚 Scavenging
dnscmd dns-srv01.contoso.com /zoneresetscavengeservers contoso.com 10.1.1.10

5. 垞见问题䞎排查 (Common Issues & Troubleshooting)

问题 A: Scavenging 没有工䜜过期记圕䞍被枅理

可胜原因

  1. 䞉层配眮䞭某䞀层没匀最垞见
  2. “Zone can be scavenged after” 时闎还没到
  3. 记圕时闎戳䞺 0静态记圕
  4. AD 倍制有问题

排查思路

# 1. 检查区域 Aging 是吊启甚
Get-DnsServerZoneAging -Name "contoso.com"
# 看 AgingEnabled 是吊䞺 True

# 2. 检查服务噚 Scavenging 是吊启甚
Get-DnsServerScavenging
# 看 ScavengingState 是吊䞺 True

# 3. 检查目标记圕的时闎戳
Get-DnsServerResourceRecord -ZoneName "contoso.com" -Name "target-host"
# 时闎戳䞺 0 = 静态记圕䞍䌚被枅理

# 4. 检查 Scavenging Event Log
Get-WinEvent -FilterHashtable @{LogName='DNS Server';Id=2501,2502} -MaxEvents 10

问题 B: 正垞的记圕被误删了Over-Scavenging

可胜原因

  1. 管理员运行了 dnscmd /ageallrecords给所有记圕包括静态记圕加了时闎戳
  2. No-Refresh + Refresh 闎隔讟眮倪短
  3. 客户端 DDNS 泚册有问题劂被防火墙阻止
  4. 记圕的 ACL 权限䞍对客户端无法曎新

排查思路

  • 检查被删记圕的原始所有者Security tab
  • 检查客户端是吊胜成功执行 ipconfig /registerdns
  • 检查 DNS 劚态曎新是吊被安党策略阻止
  • 䞎时措斜把记圕改䞺静态时闎戳讟䞺 0

问题 C: 时闎戳䞍曎新䞍倍制到其他 DNS 服务噚

可胜原因

  • 区域 Scavenging 未启甚时时闎戳曎新䞍䌚被倍制
  • 这是讟计行䞺劂果区域没匀 Aging时闎戳无意义䞍浪莹倍制垊宜

关键点䞀旊启甚区域 Aging时闎戳才䌚匀始正垞倍制。

问题 D: 銖次启甚 Scavenging 后倧量记圕被删

原因历史遗留的过期记圕䞀次性被枅理
预防按照”䞉阶段启甚法”见䞋文实战经验

6. 实战经验 (Practical Tips)

最䜳实践

  1. 只圚 1 台 DNS 服务噚䞊启甚 Scavenging
    • 因䞺区域数据是 AD 倍制的1 台枅理即可
    • 䟿于集䞭查看 Event Log
    • 䜿甚 dnscmd /zoneresetscavengeservers 粟确控制

  2. 䞉阶段安党启甚法针对现有环境

    阶段 1 — 准倇Setup:
├── 关闭所有服务噚的 Scavenging
├── 启甚目标区域的 Aging讟奜 No-Refresh 和 Refresh
└── 等埅 No-Refresh + Refresh 时闎过去默讀 14 倩
   
阶段 2 — 健党检查Sanity Check:
├── 检查是吊有时闎戳过旧的记圕
├── 劂果有 → 排查 DDNS 泚册问题修倍后再等䞀䞪呚期
└── 确讀所有掻跃客户端的记圕时闎戳郜圚合理范囎内
   
阶段 3 — 启甚Enable:
├── 圚 1 台服务噚䞊启甚 Scavenging
├── 创建䞀条测试记圕计算预期删陀时闎
├── 观察 Event ID 2501/2502
└── 确讀测试记圕圚预期时闎被删陀 ✓
  3. 监控 Event Log
    • Event ID 2501有记圕被枅理星瀺数量
    • Event ID 2502执行了 Scavenging 䜆没有记圕被枅理
    • 通过这䞀䞪事件可以粟确计算䞋次 Scavenging 时闎

垞见误区

误区 事实
“启甚 Zone Aging 就借了” ❌ 还需芁圚服务噚䞊启甚 Scavenging
“手劚 Scavenge 可以绕过安党检查” ❌ 手劚觊发仍然受所有安党阀闚限制
“dnscmd /ageallrecords 埈安党” ⚠ 这䌚给所有静态记圕加时闎戳富臎它们被枅理
“Scavenging 应该圚每台 DNS 服务噚䞊匀” ❌ 建议只匀 1 台方䟿排查和控制
“No-Refresh 期闎记圕完党䞍胜曎新” ❌ 只有 Refresh同 IP 续呜被拒绝UpdateIP 变曎䞍受限

安党泚意

  • 氞远䞍芁圚䞍理解的情况䞋运行 dnscmd /ageallrecords
  • 倇仜 DNS 区域后再启甚 Scavenging
  • 䜿甚 Export-DnsServerZone 富出区域数据䜜䞺回滚手段
  • SRV 记圕和 _msdcs 区域的记圕芁特别小心
绎床 DNS Scavenging DNS TTL (Time-to-Live) DHCP Lease Cleanup
䜜甚对象 DNS Server 䞊的资源记圕 DNS Client/Resolver 的猓存 DHCP 地址分配
枅理的是什么 服务噚端的过期记圕 客户端猓存的过期条目 过期的 IP 地址租纊
谁来执行 DNS Server DNS Client/Resolver DHCP Server
觊发方匏 定时自劚 + 可手劚 猓存到期自劚枅陀 租纊到期自劚回收
圱响范囎 所有查询该服务噚的客户端 仅本地客户端 IP 地址池管理
默讀是吊启甚 ❌ 默讀䞍启甚 ✅ 始终生效 ✅ 始终生效
风险 删错记圕富臎解析倱莥 猓存过期富臎短暂查询延迟 地址回收富臎 IP 冲突

关联诎明DNS Scavenging 和 DHCP Lease 通垞需芁协调。理想情况䞋DNS 记圕的生呜呚期应该和 DHCP 租纊呚期匹配。劂果 DHCP 租纊 8 倩DNS Scavenging 的 No-Refresh + Refresh 最奜 ≥ 8 倩。

8. 参考资料 (References)

  • Set up DNS scavenging — 埮蜯官方排查文档包含完敎的 Scavenging 讟眮瀺䟋和计算方法

English Version

1. Overview

DNS Scavenging is a built-in mechanism in Windows DNS Server that automatically cleans up stale (outdated) DNS resource records. In Dynamic DNS (DDNS) environments, clients automatically register their A and PTR records. However, when clients are decommissioned, shut down, or change IP addresses, these old records don’t automatically disappear. Over time, DNS zones accumulate “zombie records” (stale records).

Scavenging solves this problem: it acts like a scheduled janitor, periodically checking timestamps on all records and deleting those that haven’t been refreshed by clients for too long.

Because deleting DNS records is a high-risk operation (deleting the wrong record could cause service outages), Windows has designed multiple safety valves into the scavenging mechanism. Configuration must be correct in three places:

  1. Resource Record — The record must have a timestamp
  2. Zone — Aging/Scavenging must be enabled on the zone
  3. Server — At least one DNS server must have automatic scavenging enabled

🔑 Key takeaway: All three must be enabled for scavenging to work. If any one is missing, stale records won’t be deleted.

2. Core Concepts

2.1 Timestamp

Every DNS resource record has a timestamp field recording when it was last “refreshed” or “updated.”

  • Dynamically registered records: Automatically have timestamps (Windows clients register with DNS every 24 hours by default)
  • Static records (manually created by admins): Timestamp is 0, meaning never scavenged
  • Timestamp precision is hourly (rounded down to the nearest hour)

🏠 Analogy: The timestamp is like a hotel room’s “checkout time.” Each time the guest (client) extends their stay (refreshes the record), the checkout time is updated. If the guest leaves and never comes back, the room gets cleaned up after checkout.

2.2 No-Refresh Interval

The No-Refresh Interval (default: 7 days) is a window during which a record’s timestamp cannot be refreshed. A “Refresh” means a dynamic update where the record data doesn’t change — just touching the timestamp. If a client changes the IP of a host record, this is an “Update” and is exempt from the No-Refresh restriction.

Why is this needed? Because timestamp changes = AD replication traffic. The No-Refresh interval reduces unnecessary replication.

🏠 Analogy: No-Refresh is like a hotel saying “No need to call during the first 7 days — we know you’re still staying.”

2.3 Refresh Interval

The Refresh Interval (default: 7 days) follows immediately after No-Refresh. During this window, clients can and should refresh their timestamps.

If the client fails to refresh during the Refresh window, the record becomes “Eligible for Scavenging.”

🏠 Analogy: The Refresh interval is the hotel’s “stay confirmation period.” You need to call within 7 days to say “I’m still here,” or the hotel will assume you’ve left.

2.4 Scavenging Period

This is how often the DNS server runs the scavenging process (default: 7 days). Even if a record is “eligible,” it won’t be deleted until the next scavenging cycle runs.

2.5 Update vs Refresh

A critical distinction that is often confused:

Operation Meaning Subject to No-Refresh?
Update Record data changed (e.g., IP changed) ❌ No — always allowed
Refresh Record data unchanged, just updating timestamp ✅ Yes — blocked during No-Refresh

3. How It Works

3.1 Architecture

┌──────────────────────────────────────────────────────────┐
│              DNS Scavenging Three-Layer Architecture       │
├───────────────────────────────────────────────────────────
│                                                          │
│   Layer 1: Resource Record                               │
│   ┌─────────────────────────────────────┐               │
│   │ Record: app-server01.contoso.com    │               │
│   │ IP: 10.1.1.100                      │               │
│   │ Timestamp: 2026/03/01 10:00:00      │  ← timestamp  │
│   │ [x] Delete when stale               │               │
│   └─────────────────────────────────────┘               │
│                                                          │
│   Layer 2: Zone                                          │
│   ┌─────────────────────────────────────┐               │
│   │ Zone: contoso.com                   │               │
│   │ [x] Scavenge stale resource records │  ← enabled    │
│   │ No-Refresh: 7 days                  │               │
│   │ Refresh:    7 days                  │               │
│   │ Zone can be scavenged after:        │               │
│   │   2026/03/08 10:00:00               │  ← safety     │
│   └─────────────────────────────────────┘               │
│                                                          │
│   Layer 3: Server                                        │
│   ┌─────────────────────────────────────┐               │
│   │ Server: dns-srv01.contoso.com       │               │
│   │ [x] Enable automatic scavenging     │  ← enabled    │
│   │ Scavenging period: 7 days           │               │
│   └─────────────────────────────────────┘               │
│                                                          │
└──────────────────────────────────────────────────────────┘

3.2 Complete Lifecycle — A Story-Based Example

Assume the contoso.com environment has:

  • No-Refresh Interval: 7 days
  • Refresh Interval: 7 days
  • Scavenging Period: 7 days

The lifecycle of a DNS record for laptop01.contoso.com (IP: 10.1.1.50):

Timeline
═══════════════════════════════════════════════════════════════

Day 0 (March 1): Laptop boots up, registers via DDNS
├── Record created: laptop01.contoso.com → 10.1.1.50
├── Timestamp set to: March 1, 09:00
└── This is an "Update" (new record creation)

Day 1-7 (No-Refresh Window):
├── Laptop attempts registration daily (every 24h)
├── DNS Server: "No-Refresh period — timestamp NOT updated"
├── Timestamp remains: March 1, 09:00
└── Benefit: Reduced AD replication traffic ✓

Day 8-14 (Refresh Window):
├── Refresh period begins — refreshes now accepted
├── Day 8: Laptop registers → Timestamp updated to March 8, 09:00 ✓
├── Day 9-14: New No-Refresh cycle begins...
└── Timestamp now: March 8, 09:00

Day 15: Employee takes laptop away permanently
├── No one refreshes the record anymore
├── No-Refresh window (Day 8-14) passes normally
└── Timestamp frozen at: March 8, 09:00

Day 15-21 (Refresh Window, but no one comes):
├── Record enters Refresh period, waiting for client
├── ......no one comes......
└── Day 22: Refresh window expires!

Day 22: Record becomes "Eligible for Scavenging"
├── Current time > Timestamp(3/8) + No-Refresh(7d) + Refresh(7d)
├── i.e.: March 22 > March 8 + 14 days ✓
└── BUT! Record not deleted yet — must wait for scavenging cycle

Day 22-28: Waiting for Scavenging to Execute
├── Last scavenging ran on Day 21
├── Period is 7 days, next run on Day 28
└── 

Day 28: DNS Server executes Scavenging
├── Scans all records
├── Checks laptop01: Timestamp 3/8 + 14d = 3/22, expired ✓
├── Record deleted! 🗑
├── Event ID 2501: "X records scavenged"
└── laptop01.contoso.com record is gone

═══════════════════════════════════════════════════════════════
Total time: At least 14 days + up to 7 days = 14-21 days after last refresh

3.3 After Eligible, Before Deletion — Can the Client Still “Save” the Record?

This is a critical but often overlooked scenario: When a record has become Eligible for scavenging, but the scavenging cycle hasn’t run yet, what happens if the client comes back and registers?

The answer is: Yes, the refresh is accepted! The record is “saved” and the entire cycle restarts.

Timeline (assuming all 7-day intervals)
═════════════════════════════════════════════════════

Day 0:  Timestamp = March 1
        ├── No-Refresh begins (Day 0-7)
        │
Day 7:  No-Refresh ends
        ├── Refresh window begins (Day 7-14)
        │   Client can refresh, but doesn't come...
        │
Day 14: Refresh window expires
        ├── Record becomes "Eligible" for scavenging
        │   But NOT deleted yet — waiting for scavenging cycle
        │
Day 14-21: Waiting for Scavenging to execute (up to 7 days)
        │
        │  ★ Day 17: Client suddenly comes back! Sends DDNS registration
        │  ├── Server checks: Are we in No-Refresh?
        │  ├── No-Refresh = old timestamp (3/1) + 7 days = 3/8
        │  ├── Current date is Day 17 (3/18), well past No-Refresh
        │  ├── → Refresh accepted! ✅
        │  └── Timestamp updated to: March 18 ← brand new timestamp!
        │
        │  What happens next?
        │  ┌──────────────────────────────────┐
        │  │ New timestamp = March 18          │
        │  │ + No-Refresh 7 days = March 25    │
        │  │ + Refresh 7 days = April 1        │
        │  │                                   │
        │  │ Record is NO LONGER Eligible!      │
        │  │ Entire cycle restarts 🔄           │
        │  └──────────────────────────────────┘
        │
Day 21: When Scavenging executes
        ├── Checks this record: Timestamp = 3/18 (refreshed!)
        ├── 3/18 + 14 days = 4/1, not yet expired
        └── Skipped! Record survives ✅

Results of different actions during the Eligible period:

Scenario Result
Client comes back and refreshes during Eligible period ✅ Timestamp updated, cycle restarts, record saved
Client changes IP (Update) during Eligible period ✅ Updates are always allowed, timestamp also updated
No one comes → Scavenging executes 🗑 Record deleted

💡 Design philosophy: Scavenging doesn’t delete immediately upon Eligible status — there’s a buffer period (waiting for the scavenging cycle). During this buffer, clients still have a chance to “save” their records. This is why the No-Refresh check is based on the record’s current timestamp rather than a fixed zone-wide window — the old timestamp’s No-Refresh has long expired, so refresh requests are accepted.

3.4 Concrete Calculation Example

Environment:

  • No-Refresh Interval: 3 days
  • Refresh Interval: 3 days
  • Server Scavenging Period: 3 days
  • Last Event ID 2501/2502: Jan 1, 6:00 AM
  • Record Timestamp: Jan 1, 12:00 PM (noon)

Calculation:

Record Timestamp:       Jan 1, 12:00 PM
+ No-Refresh (3 days):  Jan 4, 12:00 PM  ← No refresh allowed before this
+ Refresh (3 days):     Jan 7, 12:00 PM  ← Record eligible after this

Record becomes eligible: Jan 7, 12:00 PM

Last Scavenging:         Jan 1, 6:00 AM
+ Period (3 days):       Jan 4, 6:00 AM   ← 2nd cycle
+ Period (3 days):       Jan 7, 6:00 AM   ← 3rd cycle (before 12:00 PM)
+ Period (3 days):       Jan 10, 6:00 AM  ← 4th cycle ✓ record is now eligible

∎ Record deleted at: approximately Jan 10, 6:00 AM

From timestamp to actual deletion: approximately 9 days.

4. Key Configurations

Setting Default Location Description Recommendation
Record Timestamp Auto for dynamic; 0 for static Record Properties Last refresh/update time Don’t enable scavenging on static records
No-Refresh Interval 7 days Zone → Aging Window during which refresh is blocked Can shorten (e.g., 3-4 days) for faster cleanup
Refresh Interval 7 days Zone → Aging Window during which refresh is allowed Keep default or slightly longer
Scavenge stale records ❌ Disabled Zone → Aging Zone-level switch Enable as needed
Enable automatic scavenging ❌ Disabled Server → Advanced Server-level switch Enable on only 1 DNS server
Scavenging Period 7 days Server → Advanced How often scavenging runs Match or shorter than Refresh interval

PowerShell Commands

# View zone aging settings
Get-DnsServerZoneAging -Name "contoso.com"

# Enable zone aging
Set-DnsServerZoneAging -Name "contoso.com" -Aging $true -NoRefreshInterval 7.00:00:00 -RefreshInterval 7.00:00:00

# Enable server scavenging
Set-DnsServerScavenging -ScavengingState $true -ScavengingInterval 7.00:00:00

# Manually trigger scavenging (still subject to safety checks)
Start-DnsServerScavenging

# Check specific record timestamp
Get-DnsServerResourceRecord -ZoneName "contoso.com" -Name "laptop01" | Select-Object HostName, Timestamp, TimeToLive

# Restrict scavenging to specific servers
dnscmd dns-srv01.contoso.com /zoneresetscavengeservers contoso.com 10.1.1.10

5. Common Issues & Troubleshooting

Issue A: Scavenging Not Working — Stale Records Not Deleted

Possible causes:

  1. One of the three layers is not enabled (most common)
  2. “Zone can be scavenged after” time hasn’t elapsed
  3. Record timestamp is 0 (static record)
  4. AD replication issues

Troubleshooting:

# 1. Check zone aging
Get-DnsServerZoneAging -Name "contoso.com"

# 2. Check server scavenging
Get-DnsServerScavenging

# 3. Check target record timestamp
Get-DnsServerResourceRecord -ZoneName "contoso.com" -Name "target-host"

# 4. Check Scavenging Event Log
Get-WinEvent -FilterHashtable @{LogName='DNS Server';Id=2501,2502} -MaxEvents 10

Issue B: Valid Records Deleted (Over-Scavenging)

Possible causes:

  1. Admin ran dnscmd /ageallrecords — sets timestamps on ALL records including static ones
  2. No-Refresh + Refresh intervals set too short
  3. Client DDNS registration failing (firewall, permissions)
  4. Record ACL prevents client from updating

Issue C: Timestamps Not Replicating

Key insight: When zone scavenging is not enabled, timestamp updates are not replicated. This is by design — if aging isn’t enabled, timestamps are irrelevant, so replication bandwidth is saved.

6. Practical Tips

Best Practices

  1. Enable scavenging on only 1 DNS server — zone data is AD-replicated, so one server cleaning is sufficient
  2. Use the three-phase safe enablement for existing environments (Setup → Sanity Check → Enable)
  3. Monitor Event IDs 2501/2502 — these tell you exactly when scavenging runs and how many records are cleaned

Common Misconceptions

Misconception Reality
“Enabling Zone Aging is enough” ❌ Server scavenging must also be enabled
“Manual Scavenge bypasses safety checks” ❌ Still subject to all safety valves
“dnscmd /ageallrecords is safe” ⚠ Timestamps ALL records including static — they will be scavenged!
“Enable scavenging on every DNS server” ❌ Recommend only 1 server for easier management
“No-Refresh blocks all record changes” ❌ Only Refresh (same-IP timestamp update) is blocked; Updates (IP change) always allowed
Dimension DNS Scavenging DNS TTL (Time-to-Live) DHCP Lease Cleanup
Target Resource records on DNS Server Cache entries on DNS Client/Resolver DHCP address assignments
What’s cleaned Stale server-side records Expired client-side cache Expired IP leases
Executed by DNS Server DNS Client/Resolver DHCP Server
Trigger Scheduled + manual Automatic on expiry Automatic on expiry
Default enabled ❌ No ✅ Always ✅ Always
Risk Wrong deletion → resolution failure Cache expiry → brief query delay Address reclaim → IP conflict

8. References

  • Set up DNS scavenging — Official Microsoft troubleshooting doc with complete setup example and calculation method