DNS Scavenging Deleted Valid Records: Recovery and Prevention

13 min read

When dns scavenging deleted records from your Windows Server DNS zone, the first priority is identifying exactly what was removed – not adjusting aging intervals or re-enabling scavenging. Export the current zone immediately, then check DNS Server Audit Event ID 521 to get a per-record list of what was scavenged. Dynamic client and domain-controller records can often be re-registered within minutes. Static records – servers, appliances, manually maintained aliases – need to be rebuilt from an export or restored from backup. This article covers each recovery path in order of urgency and complexity, then the root-cause corrections that prevent a repeat incident.

Scope note This article covers recovery after DNS scavenging removes valid records on a Windows Server DNS Server role deployment. For DNS failures caused by Active Directory replication or DC locator issues, see Active Directory DNS Problems. For scavenging configuration and safe rollout, see DNS Scavenging Windows Server: Aging and Safe Rollout Guide.
TL;DR
  • Use DNS Server Audit Event ID 521 to identify each scavenged record – it is the only reliable per-record evidence
  • Before any recovery action: export the current zone with dnscmd /zoneexport
  • Dynamic client records: ipconfig /registerdns on each affected client – forward record recovery depends on dynamic update permissions, PTR depends on zone ownership
  • DC SRV/CNAME records: nltest /dsregdns on each affected DC, validate with dcdiag /test:dns /v
  • DHCP-owned records: trigger lease renewal, verify DHCP DNS update credentials – Reconcile Scopes does not restore DNS records
  • Static records: rebuild manually from pre-incident export or inventory; no automatic recovery path
  • Entire zone missing: AD Recycle Bin or System State authoritative restore – last resort, requires tested procedure
  • Do not run dnscmd /ageallrecords during incident response – it timestamps static records and makes future scavenging worse

Before You Do Anything Else

Two actions before touching DNS configuration or running any registration commands. Whether dns scavenging deleted records from one zone or wiped dozens of entries across multiple zones, the sequence is the same.

Export the current zone state. This preserves what exists now as your baseline and gives you a comparison point to verify recovery completeness later.

dnscmd <DNS-server> /zoneexport <zonename> <zonename>.dns

The export file lands in %SystemRoot%\System32\dns\. Copy it off the DNS server immediately. For AD-integrated zones this export captures the DNS record data, not the underlying AD object structure – but it is the fastest usable inventory you have.

Do not run dnscmd /ageallrecords. This command assigns aging timestamps to every record in the zone, including records that were intentionally static and had no timestamp. Once timestamps are applied to those records they become eligible for scavenging. There is no bulk undo. Individual records can be returned to static by recreating them or clearing the stale-record flag in DNS Manager, but that requires knowing which records were affected – work you want to avoid adding to an active incident.

Confirm DNS Scavenging Deleted Records

Before investing time in recovery, confirm that scavenging is actually the cause. DNS records can disappear from replication failures, DHCP reconfiguration, and accidental deletion – each has a different fix.

Check the DNS Server Audit log first. Event ID 521 in the Microsoft-Windows-DNSServer/Audit channel records each individual scavenged record. This is the most direct evidence.

Get-WinEvent -LogName "Microsoft-Windows-DNSServer/Audit" -MaxEvents 500 | Where-Object { $_.Id -eq 521 } | Select-Object TimeCreated, Message | Sort-Object TimeCreated -Descending

Each Event 521 entry shows the record name, type, and data that was removed. If you see a cluster of 521 events at a specific time, that is your scavenging run. Note the timestamp – you will cross-reference it with zone export comparisons and DHCP lease data. Microsoft’s Troubleshoot DNS scavenging issues documents the full audit event structure for each scavenging cycle event.

Related events in the same audit channel:

Event IDChannelMeaning
521DNS Server AuditSpecific record was scavenged – record name, type, and data in event detail
552DNS Server AuditScavenging cycle started
554DNS Server AuditScavenging cycle completed
2501DNS Server (System)Scavenging ran and removed records – count only, no record detail
2502DNS Server (System)Scavenging ran but removed no records

Event 2501 tells you scavenging ran and deleted something. Event 521 tells you exactly what. If you have 2501 without 521 events, check whether DNS debug audit logging was enabled before the incident – without it, per-record detail is unavailable and you will need to compare the current zone against a backup or export. For the full DNS Server event ID reference, see Windows Server DNS Event IDs Explained.

Verify scavenging is configured on this server and zone.

Get-DnsServerScavenging Get-DnsServerZone -ZoneName <zonename> | Select ZoneName, AgingEnabled, NoRefreshInterval, RefreshInterval

Scavenging requires both server-level enablement and zone-level aging enablement. If both are on, and you see 521 or 2501 events, scavenging is the cause.

Failure scenario In environments where DNS scavenging was recently enabled for the first time on a zone with many legacy records, a mass deletion can occur at the first scavenging run. Records created before aging was configured have no timestamp. Depending on the scavenging server and zone configuration, these records can be treated as having a timestamp of zero, making them immediately eligible. This pattern surfaces repeatedly in Windows Server deployments after someone enables scavenging to clean up stale DHCP records without first auditing which records have timestamps.

Identify Which Records Are Missing

Not all DNS records recover the same way. When dns scavenging deleted records from a zone, the recovery path depends entirely on how each record was originally created. Classifying missing records before starting recovery saves time and avoids re-registration attempts that cannot succeed.

Compare the current zone state against the zone export you just captured, or against a pre-incident backup:

# Get current A records with timestamps Get-DnsServerResourceRecord -ComputerName "DC01" -ZoneName "contoso.com" -RRType "A" | Select-Object HostName, RecordType, Timestamp, RecordData | Export-Csv -Path "C:\dns-current.csv" -NoTypeInformation

Cross-reference against the zone export or previous CSV. The difference is your recovery list. Classify each missing record:

Record typeRecovery pathRecovery timeKey dependency
Member server / workstation A recordipconfig /registerdns on clientMinutesDynamic updates and ACLs must be working
Client PTR recordClient or DHCP owner triggers registrationMinutes to lease renewalReverse zone exists, ownership correct
Domain controller SRV/CNAME/A recordsnltest /dsregdns on each DCMinutesNetlogon service healthy, DNS dynamic update working
DHCP-owned A/PTRTrigger lease renewal, verify DHCP DNS update settingsMinutes to lease cycleDHCP credentials and zone ACLs correct
Static server record (manually created)Recreate from export or inventoryMinutes per recordAccurate source data required
Appliance / non-Windows deviceRecreate manually or trigger device DDNS clientMinutes to hoursDevice may not self-register
Application alias / CNAMERecreate from documentation or exportMinutes per recordTarget A record must exist first
Large group of static recordsScripted rebuild from validated exportHoursExport accuracy, import script tested

Recover Records by Type

The recovery sequence below assumes dns scavenging deleted records that were previously valid – not records lost to replication failure or accidental deletion. Work through the categories in order: dynamic records first (fastest), static records last (manual work required).

Dynamic Client Records (Workstations and Member Servers)

These are the fastest to recover. Run on each affected client:

ipconfig /registerdns

This triggers the client to submit a DNS dynamic update for its configured interfaces. In a standard domain environment with working dynamic update permissions, the forward A record returns within seconds. Check Event Viewer on the DNS server for dynamic update events to confirm.

PTR record recovery depends on who owns reverse registration. In environments where the client owns its own reverse registration, ipconfig /registerdns handles both. Where DHCP owns reverse registration (the more common configuration in DHCP-heavy environments), PTR records return when the DHCP server processes the next lease renewal or update – not from the client command alone.

If ipconfig /registerdns succeeds but the record does not appear in DNS, check:

ipconfig /registerdns Succeeds but Record Missing
  1. Check DNS Server dynamic update setting: Get-DnsServerZone -ZoneName <zone> | Select DynamicUpdate – should be Secure or NonSecure, not None
  2. Verify the client’s computer account has permission to update its own record – check ACL on the DNS record in ADSI Edit or DNS Manager
  3. Check Event Viewer on the DNS server for update rejection events
  4. On the client, run ipconfig /all – confirm DNS suffix is correct and matches the zone name
  5. If the zone uses Secure updates and the client record is owned by the wrong account (common after re-imaging), delete the existing DNS object and re-register

Domain Controller Locator Records (SRV, CNAME, A)

DC locator records in _msdcs and the main zone are registered by Netlogon. Run on each affected domain controller:

nltest /dsregdns

This triggers Netlogon to re-register all DC locator records for the domain. Validate immediately after:

dcdiag /test:dns /v nslookup -type=SRV _ldap._tcp.dc._msdcs.contoso.com

If nltest /dsregdns does not restore the records, restarting Netlogon forces re-registration as well – but it is a more disruptive action. Try the nltest command first.

net stop netlogon net start netlogon

DC SRV record loss causes authentication and LDAP lookup failures across the domain. This recovery step should happen before or alongside client re-registration when DC records are confirmed missing.

DHCP-Owned Records

Where the DHCP server registers DNS on behalf of clients (common in environments using DHCP option 81 or DHCP server-side update policies), recovery requires working through the DHCP server, not the clients directly.

First, confirm DHCP is configured to update DNS and that the credentials are valid:

# Check DHCP server DNS update settings (run on DHCP server) Get-DhcpServerv4DnsSetting

Then trigger lease renewals on affected clients – the DHCP server will submit fresh DNS updates as part of the lease acknowledgment. For clients that cannot renew immediately, the DHCP server audit log at %SystemRoot%\System32\dhcp\ shows update attempts and failures.

DHCP Reconcile Scopes repairs inconsistencies in the DHCP lease database. It does not recreate deleted DNS records. Do not use it as a DNS recovery step.

Static Records (Manually Created)

Static records – those created manually in DNS Manager or via dnscmd with no aging timestamp – have no self-registration mechanism. When dns scavenging deleted records of this type, they must be rebuilt from your zone export, a pre-incident backup, or documentation. There is no automatic recovery path.

From the zone export file, identify each missing static record and re-add it. In DNS Manager: right-click the zone, New Host (A or AAAA), and leave “Create associated pointer (PTR) record” checked if needed. After creation, verify the record has no aging timestamp by checking its properties – the “Delete this record when it becomes stale” checkbox should be unchecked for intentionally static records.

Alternatively via PowerShell for A records:

Add-DnsServerResourceRecordA -ZoneName "contoso.com" -Name "server01" -IPv4Address "10.0.0.50"

Records added this way are static by default – they carry no aging timestamp and are not eligible for scavenging.

Field note A pattern seen repeatedly in Windows Server environments: devices with manually assigned static IP addresses have dynamically registered DNS records. The owner assumes “static IP = static DNS record.” In practice, if the device’s DNS registration settings allow dynamic updates, the record carries a timestamp and is eligible for scavenging. After an incident, the device’s DNS record disappears and the owner spends time looking for a recovery command rather than a registration settings problem. The fix after recovery is to verify the record is actually static – zero timestamp in DNS Manager – not just that the device has a static IP.

The AD-Integrated DNS Tombstone Window

For AD-integrated DNS zones, a scavenged record is not immediately purged from Active Directory. The DNS node object transitions to a tombstoned state and is retained for a period controlled by the DsTombstoneInterval registry value (default: 7 days, set in days on the DNS server). Microsoft documents this lifecycle in detail in the DNS logging and diagnostics reference.

During this window, the object exists in AD but is not visible in normal DNS administration views. A fresh dynamic update for the same record name can recreate the DNS data, potentially reusing the same AD object structure.

This is a useful forensic insight – it explains why re-registration often succeeds quickly in AD-integrated zones and why a zone export shows fewer records than AD actually holds at that moment. It is not a native undo feature. There is no supported DNS Manager or PowerShell operation to “untombstone” a DNS record. Manually editing the dNSTombstoned AD attribute is not a supported recovery method and should not be attempted in production. The tombstone window exists to allow AD replication to propagate the deletion – not to provide a recovery window after dns scavenging deleted records incorrectly.

After the tombstone retention period, the AD DNS object cleanup interval removes the object permanently. At that point, re-registration creates a completely new object.

Restore from Export or Backup

Zone Export Rebuild

If the zone export you captured at the start of the incident is insufficient (because the export ran after deletion), compare it against a scheduled export or backup copy. The DNS zone export format is a standard zone file – each record is readable and can be re-imported or used to manually reconstruct missing records.

For bulk reconstruction of static records, a tested PowerShell import script built from the zone export CSV is faster than manual DNS Manager entry. The CSV produced by Get-DnsServerResourceRecord | Export-Csv is an inventory reference, not a native restore format – you need a script to parse it and call Add-DnsServerResourceRecord* for each record type.

AD Recycle Bin

AD Recycle Bin preserves deleted AD objects when it was enabled before deletion. For DNS, it is most useful when entire zones or zone subtrees were deleted from Active Directory – not for individual records removed by normal scavenging cleanup (where the DNS node is tombstoned, not deleted). If dns scavenging deleted records through the normal aging process, Recycle Bin is not the right recovery tool – re-registration and manual rebuild are.

Check whether AD Recycle Bin is enabled:

Get-ADOptionalFeature -Filter 'name -like "Recycle Bin Feature"'

If it is enabled and the relevant DNS AD objects were deleted (not just tombstoned by scavenging), recovery is possible via Get-ADObject and Restore-ADObject. In practice, scavenging creates tombstoned DNS nodes rather than fully deleted AD objects, so Recycle Bin is rarely the right tool for a standard scavenging incident.

System State Authoritative Restore (Last Resort)

When large portions of the DNS zone are unrecoverable through re-registration and no usable export exists, a System State authoritative restore of the DNS zone data from a domain controller backup is an option – but a disruptive one.

Failure scenario An authoritative restore of AD-integrated DNS data requires booting a domain controller into Directory Services Restore Mode and running an ntdsutil authoritative restore targeting the DNS application partition. This is a domain-controller-level recovery operation. Done incorrectly, it can affect AD replication beyond DNS. It requires a tested procedure, a backup that predates the deletion, replication planning, and a healthy second domain controller. For anything beyond individual record recovery, treat this as a formal DR operation and consider engaging Microsoft support. Do not improvise the DN paths or restore commands without lab-validated procedures for your specific AD partition layout.

AD-integrated DNS zones live in application partitions with distinguished names in the form:

DC=contoso.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=contoso,DC=com # or for forest-wide zones: DC=contoso.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=contoso,DC=com

Verify the actual partition your zone uses before any restore attempt:

Get-DnsServerZone -ZoneName "contoso.com" | Select ZoneName, ReplicationScope

Find the Root Cause: Why DNS Scavenging Deleted Records

Recovering the records stops the immediate outage. Fixing the root cause prevents the next one. Understanding why dns scavenging deleted records that should have been safe is the difference between a one-time incident and a recurring problem.

Intervals too short for the environment. The total of no-refresh interval plus refresh interval (default 7+7 days) defines the minimum time a record must exist before becoming eligible for scavenging. If DHCP leases are longer than 14 days, or if devices do not refresh their DNS registration reliably, valid records age out before they can be re-registered. Microsoft’s guidance on safe DNS scavenging setup recommends auditing lease durations before enabling scavenging. Check lease durations against scavenging intervals:

Get-DnsServerScavenging Get-DhcpServerv4Scope | Select ScopeId, LeaseDuration

The no-refresh interval should be at least as long as the longest DHCP lease duration.

Records without timestamps (static records that became eligible). Before scavenging was enabled, records created manually had no aging timestamp. When scavenging runs for the first time, treatment of timestamp-zero records depends on the scavenging server configuration – some configurations treat zero-timestamp records as immediately eligible. Audit before enabling scavenging:

# Records with no timestamp (static - not eligible under normal scavenging) Get-DnsServerResourceRecord -ComputerName "DC01" -ZoneName "contoso.com" -RRType "A" | Where-Object { -not $_.Timestamp } | Select HostName, RecordData # Records with timestamps (aging-eligible) Get-DnsServerResourceRecord -ComputerName "DC01" -ZoneName "contoso.com" -RRType "A" | Where-Object { $_.Timestamp } | Select HostName, Timestamp, RecordData

DnsUpdateProxy group misuse. When a DHCP server is a member of the DnsUpdateProxy security group, all DNS records it registers on behalf of clients are created without owner ACLs – any authenticated user can update them. These records can be deleted by the next dynamic update from a different source. If DnsUpdateProxy is in use and records disappear without scavenging being involved, ACL issues are the more likely cause. The safer alternative is dedicated DHCP service credentials for DNS registration without DnsUpdateProxy.

AD replication failure. In a multi-DC environment, scavenging on one DC can delete records that have not yet replicated to other DCs. The result looks like a partial deletion – records present on some DCs, missing on others. Check replication health before assuming scavenging settings are the problem:

repadmin /showrepl dcdiag /test:replications

For the full AD replication diagnostic workflow, see Active Directory Replication Not Working.

Devices with static IPs but dynamic DNS registration. As noted in the field note above – a static IP address does not make a DNS record static. If the device’s operating system registers DNS dynamically, the record carries a timestamp. Verify each server-class record that should be permanent is actually created as a static DNS record with no aging timestamp.

Prevent Recurrence

Full scavenging configuration guidance is in DNS Scavenging Windows Server: Aging and Safe Rollout Guide. The short prevention checklist after an incident where dns scavenging deleted records unintentionally:

TL;DR
  • Audit record timestamps before re-enabling scavenging: static records must have no timestamp, intentionally dynamic records must refresh within the no-refresh + refresh window
  • Set no-refresh interval to at least the longest DHCP lease duration in the environment
  • Enable scavenging on one DNS server only – if multiple servers scavenge, they can delete records before other DCs replicate them
  • Verify that server records meant to be permanent are created as static (no aging timestamp in DNS Manager properties)
  • Schedule a monthly zone export to keep a current pre-incident baseline
  • Enable DNS audit logging if not already active – without Event ID 521, per-record deletion evidence is unavailable

To enable DNS audit logging if it is not already on:

wevtutil sl "Microsoft-Windows-DNSServer/Audit" /e:true

Verification Commands

# Check scavenging state Get-DnsServerScavenging # Check zone aging settings Get-DnsServerZone -ZoneName "contoso.com" | Select ZoneName, AgingEnabled, NoRefreshInterval, RefreshInterval # Find per-record scavenging events Get-WinEvent -LogName "Microsoft-Windows-DNSServer/Audit" -MaxEvents 1000 | Where-Object { $_.Id -eq 521 } | Select-Object TimeCreated, Message # Find scavenging cycle events Get-WinEvent -LogName "Microsoft-Windows-DNSServer/Audit" -MaxEvents 100 | Where-Object { $_.Id -in 552, 554 } | Select-Object TimeCreated, Id, Message # Export current zone for baseline dnscmd <server> /zoneexport <zonename> <zonename>.dns # Audit record timestamps Get-DnsServerResourceRecord -ComputerName "DC01" -ZoneName "contoso.com" -RRType "A" | Select-Object HostName, Timestamp, @{N="IP";E={$_.RecordData.IPv4Address}} | Sort-Object Timestamp # Re-register DC locator records nltest /dsregdns dcdiag /test:dns /v

FAQ

Can DNS scavenging delete static records?

Yes, under certain conditions – and this is often the root cause when dns scavenging deleted records that were supposed to be permanent. Records with no aging timestamp are not eligible for scavenging under normal configuration. Records created with aging enabled – or records that had dnscmd /ageallrecords applied to the zone – carry timestamps and can be scavenged. A device having a static IP address does not automatically mean its DNS record is static. If the device’s OS uses dynamic registration, the record carries a timestamp regardless of the IP configuration.

How do I see which DNS records were scavenged?

When dns scavenging deleted records, the evidence is in the DNS Server Audit log. Check Event ID 521 in Event Viewer under Applications and Services Logs – Microsoft – Windows – DNSServer – Audit. Each Event 521 records the specific hostname, record type, and data that was removed. If the audit log was not enabled before the incident, Event 2501 in the DNS Server log tells you scavenging ran and how many records were removed, but without per-record detail.

Does ipconfig /registerdns restore SRV records?

No. ipconfig /registerdns re-registers the computer’s A and optionally PTR records. SRV records for domain controllers are registered by Netlogon, not the standard DNS client. Use nltest /dsregdns on each affected domain controller to restore DC locator SRV, CNAME, and A records.

Can AD Recycle Bin restore a scavenged DNS record?

Rarely, for a standard scavenging incident. Scavenging creates tombstoned DNS node objects in Active Directory, not deleted objects. AD Recycle Bin protects against deleted objects. If the DNS zone or a zone subtree was deleted from AD directly, Recycle Bin can help. For records removed by routine scavenging, re-registration or manual recreation is the correct path.

Why did a server with a static IP address lose its DNS record?

A static IP address does not make a DNS record static. If the server’s operating system or DHCP client is configured for dynamic DNS registration, the record carries an aging timestamp and is eligible for scavenging when the timestamp ages out. Verify in DNS Manager that the record’s properties show no aging timestamp – the “Delete this record when it becomes stale” option should be unchecked for records that must be permanent.

How long before a scavenged AD-integrated DNS record is permanently removed?

Scavenged records in AD-integrated zones are tombstoned, not immediately deleted. The tombstone is retained for a period controlled by the DNS server’s DsTombstoneInterval setting (default 7 days). After that, the AD object cleanup process removes the tombstoned object permanently. During the retention window, a fresh DNS registration for the same record name can restore service quickly. After the window closes, re-registration creates a new object from scratch – functionally the same result.

Is the zone export from dnscmd sufficient for a full restore?

As an inventory and manual reconstruction reference, yes – and it is the fastest option when dns scavenging deleted records that were static and cannot self-register. As an automated restore source without additional tooling, no. The zone file produced by dnscmd /zoneexport is human-readable and contains all record data. To bulk-restore records from it, you need either a script that parses the file and calls Add-DnsServerResourceRecord for each record type, or manual DNS Manager recreation. It is not a one-command import format.