About 9 months ago I became sys admin over Active Directory for a company. Today someone submitted a ticket pointing out that our DNS had a stale entry for an authoritative server. My investigation found that in 2012 a branch office had been closed and the domain controller in that office had been decommissioned without running dcpromo and removing the DNS role. I also found about a dozen and a half other static DNS entries from the same subnet that office ran on, which subnet is no longer used by the company.
This isn't the first time I've encountered static DNS entries that are years out of date. Most of these belong to our engineering unit, who will stand up a server in their lab, request us to add it to DNS, then kill the server and never tell IT about it. The majority of these are lab servers that are never joined to our AD domain, so I can't check DNS against computer accounts in AD.
How can I isolate and remove all of these stale static entries?
We're running Active Directory at a 2008r2 functional level. All of our DCs are 2008r2.
In order for scavenging to work, each record must have a timestamp. The
dnscmd.exe /ageallrecords
command establishes that timestamp. For actual live systems this merely means that the timestamp will be updated upon running the command and then at the next refresh interval (7 days or at startup). For all stale records this means that a valid timestamp is established, which then allows those stale records to be scavenged at the next scavenge interval.So, assuming that you're going to enable scavenging on the DNS servers and the DNS zones, you can use
dnscmd.exe /ageallrecords
to set the current timestamp on all records. For all Windows systems that actually still exist they'll update their record every 7 days or at startup and therefore shouldn't be scavenged at the next scavenging interval. For all stale records for hosts that no longer exist, they should be scavenged at the next scavenging interval.