Wednesday, February 5, 2020

Azure Domain Controller Glue Record Gets Deleted

This somewhat of a corner case, but if it happened to us then it could happen to others. I also regard this as a bug. Losing a Doman Controller's glue record can have a profoundly negative impact on the functionality of an Active Directory Domain. This a scenario where this will happen.
  1. Domain Controller is an Azure IAS VM.
  2. The DNS zone for the domain has dynamic updates set to 'Nonsecure & Secure'.
The chain of events:
  1. Because the Domain Controller is in Azure, it cannot have a genuinely static IP address within the OS. You have to set the Azure NIC settings to a 'Static IP,' which is actually under the covers' a DHCP reservation within the Azure DHCP system. In any case, the OS believes it has a dynamic address because that what the NIC tells it. That is why you have to click past the warnings about dynamic IPs when the server was promoted.
  2. Since the OS believes its IP is dynamic, the glue record it creates is also dynamic because it thinks it may have to change the value if the NIC gets a new address.
  3. Assuming that DNS scavenging is enabled
  4. Because the zones set to 'Nonsecure & Secure,' the DHCP server is responsible for the renewal of the server's DNS record when it's DHCP lease is 50% expired.
  5. Azure DHCP leases are hardcoded at 136 years, the default scavenging period is 7 days.
Of course, this issue is not just a problem for Domain Controllers it will affect all member servers that are IAS VM's in a DNS zone that allows nonsecure dynamic updates.

Get those DNS zones set to Secure!

Cheers

No comments:

Post a Comment