Skip to main content

When you remove AD computer objects, DNS records are left in the Windows Server DNS. The best way is to Set up DNS aging and scavenging. But if these records are static, they will not be removed automatically. Also, what if you can’t wait and want to remove the stale records immediately? That’s when PowerShell comes to the rescue. In this article, you will learn how to clean up stale DNS records with PowerShell.

What are DNS records

DNS resource records contain the information that a zone maintains about the resources (such as hosts) that the zone contains. A typical resource record consists of the following:

  • Name (host) of the resource record.
  • Information about how long the resource record can remain in the cache.
  • Resource record type, such as a host (A) resource record.
  • Data that’s specific to the record type, such as the host’s IPv4 address.

You can add resource records directly, or they can be added automatically when Windows-based, Dynamic Host Configuration Protocol (DHCP) enabled clients join a network using dynamic update.

The following type of resource record types are well-known:

  • Host (A, AAAA) records
  • Alias (CNAME) records
  • Mail exchanger (MX) records
  • Pointer (PTR) records
  • Service location (SRV) records
  • Name server (NS) records
  • Text (TXT) record
  • Delegation name (DNAME) record
  • Start of authority (SOA) record

Check old records in DNS Manager

Start DNS Manager and check for the old DNS record that contains the hostnameFQDN, and IP address.

In our example, we like to find the Domain Controller that we demoted:

  • Hostname: DC01-2019
  • FQDN: DC01-2019.exoip.local.
  • IP address: 192.168.1.51

Right-click on a zone and click Properties.

Clean up DNS records with PowerShell properties

Click Name Servers.

The old server appears in the list, which is the Name Server (NS) record.

How to clean up stale DNS records with PowerShell name servers

The Host (A) record is present.

How to clean up stale DNS records with PowerShell A record

The Service Location (SRV) record is present.

If we go through more zones, we will find all the stale DNS records of that particular AD computer object.

Going through all the zones and removing the old DNS records takes time. It may also happen that you do not see a record, and it will stay there.

Instead of going through all the DNS server zones and removing the DNS records of the AD computer object manually, we will automate the process with PowerShell and clean up all the stale records.

Note: You should Set up DNS Aging and Scavenging in Active Directory, so it will remove the stale dynamic DNS records. While this will clean up the stale records in DNS, it will not remove old static DNS records, and that’s what the below PowerShell script will do.

Remove stale DNS entries with PowerShell script

An excellent way to remove old DNS records is with the Remove-DNSRecords.ps1 PowerShell script that uses the following three cmdlets:

  1. Get-DnsServerZone cmdlet to retrieve the primary zones.
  2. Get-DnsServerResourceRecord cmdlet to find all resource records equal to the FQDN, Hostname, and IP address.
  3. Remove-DnsServerResourceRecord to remove the retrieved DNS records.

Step 1. Download Remove-DNSRecords PowerShell script

Download and place Remove-DNSRecords.ps1 PowerShell script on the Domain Controller C:\scripts folder. If you don’t have a scripts folder, create one.

Ensure the file is unblocked to prevent errors when running the script.
Another option is to copy and paste the below code into Notepad. Give it the name Remove-DNSRecords.ps1 and place it in the C:\scripts folder.

<#
    .SYNOPSIS
    Remove-DNSRecords.ps1

    .DESCRIPTION
    Clean up stale DNS records with PowerShell.

    .LINK
    www.traceroute.net/clean-up-dns-records-powershell/

    .NOTES
    Written by: ALI TAJRAN
    Website:    www.traceroute.net
    LinkedIn:   linkedin.com/in/traceroute

    .CHANGELOG
    V1.00, 01/20/2024 - Initial version
#>

$ServerFQDN = "dc01-2019.exoip.local." #Keep the dot (.) at the end
$ServerHostname = "dc01-2019"
$IPAddress = "192.168.1.51"

$Zones = Get-DnsServerZone | Where-Object { $_.ZoneType -eq "Primary" } |
Select-Object -ExpandProperty ZoneName

foreach ($Zone in $Zones) {
    Get-DnsServerResourceRecord -ZoneName $Zone | Where-Object { 
        $_.RecordData.IPv4Address -eq $IPAddress -or
        $_.RecordData.NameServer -eq $ServerFQDN -or
        $_.RecordData.DomainName -eq $ServerFQDN -or
        $_.RecordData.HostnameAlias -eq $ServerFQDN -or
        $_.RecordData.MailExchange -eq $ServerFQDN -or
        $_.HostName -eq $ServerHostname
    } | Remove-DnsServerResourceRecord -ZoneName $Zone -Force -WhatIf
}
  • Lines 20, 21, 22: Change the ServerFQDNServerHostname, and IPAddress values to the AD computer object from which you want to remove the stale DNS records.

Step 2. Run Remove-DNSRecords PowerShell script

Start Windows PowerShell and run the Remove-DNSRecords.ps1 script.

Note: Nothing will happen to the environment when you run the script because the -WhatIf parameter is added in the script. Once you identify and confirm the stale records, remove the -WhatIf parameter and rerun the script.

C:\scripts\.\Remove-DNSRecords.ps1

This is how it looks in our example.

What if: Removing DNS resource record @ of type NS from zone _msdcs.exoip.local on DC01-2022 server.
What if: Removing DNS resource record @ of type NS from zone autodiscover.exoip.com on DC01-2022 server.
What if: Removing DNS resource record dc01-2019 of type A from zone exoip.local on DC01-2022 server.
What if: Removing DNS resource record @ of type NS from zone exoip.local on DC01-2022 server.
What if: Removing DNS resource record DomainDnsZones of type A from zone exoip.local on DC01-2022 server.
What if: Removing DNS resource record _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones of type SRV from zone exoip.local on DC01-2022 server.
What if: Removing DNS resource record _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones of type SRV from zone exoip.local on DC01-2022 server.
What if: Removing DNS resource record _ldap._tcp.DomainDnsZones of type SRV from zone exoip.local on DC01-2022 server.
What if: Removing DNS resource record ForestDnsZones of type A from zone exoip.local on DC01-2022 server.
What if: Removing DNS resource record _ldap._tcp.ForestDnsZones of type SRV from zone exoip.local on DC01-2022 server.
What if: Removing DNS resource record @ of type NS from zone TrustAnchors on DC01-2022 server.

After you verify the old DNS records of that specific AD computer object, remove the -WhatIf parameter and rerun the script.

C:\scripts\.\Remove-DNSRecords.ps1

All the DNS records are successfully deleted for that specific AD computer object from Windows Server DNS.

That’s it!

Leave a Reply