AD allows its clients to refresh their DNS records automatically. AD also actively maintains DNS records to make sure they are updated, including timing out (aging) and removing (scavenging) inactive records. DNS scavenging is not enabled by default on the AD side.
SSSD allows the Linux system to imitate a Windows client by refreshing its DNS record, which also prevents its record from being marked inactive and removed from the DNS record. When dynamic DNS updates are enabled, the client's DNS record is refreshed:
when the identity provider comes online (always)
when the Linux system reboots (always)
at a specified interval (optional configuration); by default, the AD provider updates the DNS record every 24 hours
You can set this behavior to the same interval as the DHCP lease. In this case, the Linux client is renewed after the lease is renewed.
DNS updates are sent to the AD server using Kerberos/GSSAPI for DNS (GSS-TSIG). This means that only secure connections need to be enabled.
The dynamic DNS configuration is set for each domain. For example:
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
ldap_schema = ad
dyndns_update = true
dyndns_refresh_interval = 43200
dyndns_update_ptr = true
dyndns_ttl = 3600
For details on these options, see the sssd-ad(5) man page.