DNS records not updating

Updating of DNS records in the Active Directory.

Lately, I was asked for advice about why DNS records in Active Directory were not updated with the current IP-address during the reinstallation of PC’s. 

PC Reinstallation – DNS records not updated

The customer showed me the problem and we tried to reproduce it manually.
Why are DNS records not updating? We tried the following steps:

Reproduction of the problem

1. Installation of Windows on PC
2. Joining of PC to domain
3. Waiting for IP-address via DHCP
4. Verification of DNS-record in AD
5. Formatting of PC’s hard drive
6. Installation of Windows on PC
7. Joining of PC to domain
8. Waiting for IP-address via DHCP
9. Verification of DNS-record in AD

We could not reproduce the problem with this approach.
(Why this was the case, you can read below.)
 

Problem results from the deletion of computer objects and SID

I asked the customer to describe the imaging process to me a little more detailed.. The customer checks, if a computer object with the PC’s name already exists, before joining the PC into the domain. If that is the case, it is deleted and a new computer object is set up when joining the PC to the domain.

The new computer object however also has a new SID.

The problem is that the DNS records of computer objects in Active Directory are only allowed to be updated by the SID of the computer object itself.
This is basically why DNS records are not updating. The ACL of an automatically set up DNS record always includes an entry like this:

 
In the case of our customer however, the following happened:

After the object is deleted, the SID cannot be dissolved anymore (picture 2). When the object is set up anew, the “old” SID remains in the ACL of the DNS records and the new one is not included (picture 3).

Picture 2: computer object deleted

 

Picture 3: computer object deleted and set up anew

Solution

We adapted the customer’s process. Computer objects will not be only reset and not deleted anymore.

This resets the password of the object and makes it possible for the next PC joined with this name to use the already existing computer object. The SID of the original object remains and the authorization on the DNS record stays valid -> DNS records update not necessary anymore.

Why a reproduction of the problem was not possible

Attention! The reason why we could not reproduce the problem at first was that we used a Domain Admin Account for the domain join. They automatically have the permission to use an existing computer account for a domain join without having to reset it in advance. That’s why you should always use a service-account with the minimum necessary permissions for a domain join.