One other thing I can think of.
When you are installing the FW component, it is going to install and hook in a teefer3 (I believe in SEP 12.1) driver into the NIC.
* * * *
The Teefer driver is responsible for capturing all network traffic entering or leaving a particular interface ( via the associated miniport driver ), so that the packets may be passed to the personal firewall component of the SEP client for analysis.
* * * *
This could be causing the server to call the DNS server and gracefully request the DNS records be removed from the DNS server as the "adapter" itself has technically changed.
After installing SEP on your servers, are you performing the reboot?
After the reboot occurs, it should re-register the DNS entry on the DNS server.
Is this what is happening? Reboot - no re-register? Or no reboot?
The interesting thing here is the IPCONFIG /REGISTERDNS is recreating the DNS record.
Hope that helps.