- Domain Controller is an Azure IAS VM.
- The DNS zone for the domain has dynamic updates set to 'Nonsecure & Secure'.
The chain of events:
- Because the Domain Controller is in Azure, it cannot have a genuinely static IP address within the OS. You have to set the Azure NIC settings to a 'Static IP,' which is actually under the covers' a DHCP reservation within the Azure DHCP system. In any case, the OS believes it has a dynamic address because that what the NIC tells it. That is why you have to click past the warnings about dynamic IPs when the server was promoted.
- Since the OS believes its IP is dynamic, the glue record it creates is also dynamic because it thinks it may have to change the value if the NIC gets a new address.
- Assuming that DNS scavenging is enabled
- Because the zones set to 'Nonsecure & Secure,' the DHCP server is responsible for the renewal of the server's DNS record when it's DHCP lease is 50% expired.
- Azure DHCP leases are hardcoded at 136 years, the default scavenging period is 7 days.
Of course, this issue is not just a problem for Domain Controllers it will affect all member servers that are IAS VM's in a DNS zone that allows nonsecure dynamic updates.
Get those DNS zones set to Secure!