Windows computers refresh their DNS records in the domain zones hosted by the DNS servers every 24 hours. When a Windows computer is removed from the domain or is not able to update its DNS record in the DNS Server, the DNS record of that Windows computer remains in the DNS database and is considered to be a stale DNS record. The stale DNS records remain in the DNS database unless you remove them manually. But you may not want to spend time identifying the stale DNS records and remove them manually. This is where the DNS aging and scavenging feature comes handy. The DNS aging feature of DNS server helps you remove DNS records that are not needed. When you enable DNS scavenging on DNS Server and aging on domain zones, the DNS Server removes the records that have not been updated for a period of time. If you do not enable DNS scavenging, you might face following situations:
- Domain zones will hold the DNS records that are not needed.
- Over a period of time, DNS database size will be increased.
- It will take more time for the DNS server service to enumerate and load the DNS database in memory.
- It will take more time for the DNS server to respond to a DNS query. This is because the DNS server needs to enumerate all DNS records before it can find the required DNS record and then send a response.
- DNS servers might respond with an invalid DNS record that no longer exists on the network causing naming resolution problems on the network.
- Another Windows client computer might not be able to register its own DNS records if the same IP address is being used by a stale DNS record.
In this article we will explain how you can use simple PowerShell commands to check whether the DNS aging is enabled on all DNS domain zones are or not. Before you proceed to run any of the PowerShell commands explained in this article, please make sure to have a Windows Server 2012 R2 member server or domain controller ready. Since PowerShell commands use Get-DNSServerZoneAging PowerShell cmdlet, which is installed as part of DNS Server Tools, you must install DNS Server Tools from the Server Manager. The Get-DNSServerZoneAging PowerShell cmdlet supports three properties; AgingEnabled, RefreshInternal, and NoRefreshInterval. By querying three properties explained above, we can know the status of aging on domain zones. Let’s take a look at some of the examples of using Get-DNSServerZoneAging PowerShell cmdlet.
Querying aging status of a single domain zone
To query a single DNS Server and to check whether all domain zones hosted by the DNS Servers have DNS aging enabled or not, execute the below PowerShell commands:
$ThisDomainZone=”TechGegnix.com”
$AgingConf = Get-DNSServerZoneAging -name $ThisDomainZone
$RefInterval = $AgingConf.RefreshInterval
$NoRefInterval = $AgingConf.NoRefreshInterval
$AgingConf.AgingEnabled
$RefInterval
$NoRefInterval
By executing the PowerShell commands above, you are going to see the DNS aging status for “TechGenix. Com” domain zone. In case you wish to see the DNS aging status of a domain zone of your choice, simply modify the “$ThisDomainZone” variable. The “AgingEnabled” property will return “True” if the DNS aging is enabled. The “$RefInterval” and “$NoRefInterval” variables in the above PowerShell commands contain the values configured for Refresh Interval and No-Refresh Interval.
Querying aging status of multiple domain zones
In case the DNS Server hosts multiple domain zones and you would like to query DNS aging status of each domain zone, you will be required to create a text file that holds the domain zone names you want to query and add “ForEach” loop to the PowerShell commands as shown in the PowerShell script below:
$DomZones = “C:\Temp\DomainZones.TXT”
ForEach ($ThisDomainZone in Get-Content “$DomZones”)
{
$AgingConf = Get-DNSServerZoneAging -name $ThisDomainZone
$RefInterval = $AgingConf.RefreshInterval
$NoRefInterval = $AgingConf.NoRefreshInterval
$AgingConf.AgingEnabled
$RefInterval
$NoRefInterval
}
When you execute the above PowerShell script, it queries each domain zone mentioned in the “C:\Temp\DomainZones.TXT” and retrieves the DNS aging configuration for domain zone. Please make sure to append the domain zone names in the C:\Temp\DomainZones.TXT before running the above script.
If you would like to store output to a CSV file, what you can do is add the Add-Content PowerShell cmdlet to the PowerShell script as shown in the script example below:
$DomZones = “C:\Temp\DomainZones.TXT”
$ReportFile = “C:\Temp\DNSAgingStatus.CSV”
$STR = “Domain Zone, Aging Status, Refresh Interval, No-Refresh Interval”
Add-Content $ReportFile $STR
ForEach ($ThisDomainZone in Get-Content “$DomZones”)
{
$AgingConf = Get-DNSServerZoneAging -name $ThisDomainZone
$RefInterval = $AgingConf.RefreshInterval
$NoRefInterval = $AgingConf.NoRefreshInterval
$AgingEnaOrNot = $AgingConf.AgingEnabled
$STRNew = $ThisDomainZone+”,”+$AgingEnaOrNot+”,”+$RefInterval+”,”+$NoRefInterval
Add-Content $ReportFile $STRNew
}
Once you execute the above script, a CSV file by name DNSAgingStatus.CSV will be created under C:\Temp folder. The CSV file contains the Domain Zone name, aging status, refresh interval and no-refresh interval for each domain zone. You can take necessary actions to modify the aging settings on the domain zones. In any case, the DNS aging must be enabled on the primary domain zones.
Photo credit: Shutterstock
Thank you for your post.
In the second script, instead of writing a text file of all the domain names and importing it, you could replace the first two lines with:
$DomZones = (Get-DnsServerZone | Where-Object {$_.IsAutoCreated -eq $False -and $_.ZoneName -ne ‘TrustAnchors’}).ZoneName
ForEach ($ThisDomainZone in $DomZones)