Hi folks, Ned here again. We’ve released another wave of Best Practices Analyzer rules for Windows Server 2008 / R2, and if you care about Directory Services you care about these:
AD DS rules update
Info: Update for the AD DS Best Practices Analyzer rules in Windows Server 2008 R2
Download: Rules Update for Active Directory Domain Services Best Practice Analyzer for Windows Server 2008 R2 x64 Editions (KB980360)
This update BPA for Active Directory Domain Services include seven rules changes and updates, some of which are well known but a few that are not.
DNS Analyzer 2.0
Operation Info: Best Practices Analyzer for Domain Name System – Ops
Configuration info: Best Practices Analyzer for Domain Name System - Config
Download: Microsoft DNS (Domain Name System) Model for Microsoft Baseline Configuration Analyzer 2.0
Remember when – a few weeks back – I wrote about recommended DNS configuration and I promised more info? Well here it is, in all its glory. Despite what you might have heard, misheard, remembered, or argued about, this is the official recommended list, written by the Product Group and appended/vetted/munged by Support. Which includes:
- DNS: DNS servers on <adapter name> should include their own IP addresses on their interface lists of DNS servers
- DNS: IP addresses that belong to a valid range must be configured on <adapter name>
- DNS: <Adapter name> must have configured DNS servers
- DNS: Network interfaces on <adapter name> must be configured with DNS servers that belong to a valid IP address range
- DNS: <Adapter name> should be configured to use both a preferred and an alternate DNS server
- DNS: <Adapter name> should have static IPv4 settings
- DNS: IP addresses must be configured on <adapter name>
- DNS: Valid network interfaces should precede invalid interfaces in the binding order
- DNS: DNS servers on <adapter name> should include the loopback address, but not as the first entry
- DNS: If the Global Query Block List is enabled, then it should not be empty
- DNS: Cache locking should be configured to 90% or greater
- DNS: The forwarding timeout value should be 2 to 10 seconds
- DNS: The Hosts file <file name> on the DNS server should be empty
- DNS: Interface <adapter name> on the DNS server should be configured to register its IP addresses in DNS
- DNS: The DNS server must have root hints or forwarders configured
- DNS: The scavenging interval <interval value> is within the recommended range
- DNS: The DNS server should have scavenging enabled
- DNS: The scavenging interval <interval value> is not set to a recommended value
- DNS: Zone <zone name> has scavenging enabled with recommended parameters
- DNS: Zone <zone name> has record aging disabled, so scavenging will not occur
- DNS: Zone <zone name> scavenging server list should not be empty
- DNS: Zone <zone name> scavenging parameters should be set to default values
- DNS: The socket pool should be enabled with recommended settings
- DNS: The recursion timeout must be greater than the forwarding timeout
- DNS: Forwarding server <IP address> should respond to DNS queries
- DNS: At least one DNS server on the list of forwarders must respond to DNS queries
- DNS: The list of forwarding servers must not contain the link-local IP address <IP address>
- DNS: The list of forwarding servers must not contain the loopback address <IP address>
- DNS: More than one forwarding server should be configured
- DNS: Zone <zone name> master server list must not be empty
- DNS: Zone <zone name> update notification list must not be empty
- DNS: Zone <zone name> secondary servers list should not be empty
- DNS: Zone <zone name> should be present on the secondary server <IP address> configured to receive zone update notifications
- DNS: Zone <zone name> scavenging servers should host the zone
- DNS: The list of root hints must not contain the link-local IP address <IP address>
- DNS: The list of root hints must not contain the host IP address or loopback address <IP address>
- DNS: The list of root hints should contain more than one entry
- DNS: Zone <zone name> is Active Directory integrated and should be present and configured as primary
- DNS: Zone <zone name> is an Active Directory integrated DNS Zone and must be available
- DNS: Zone <zone name> is an Active Directory integrated DNS zone and must be configured as primary
- DNS: Zone <zone name> transfers from the primary to the secondary DNS server must be successful
- DNS: The DNS server <IP address> on <adapter name> must be able to resolve names in the forest root domain name zone
- DNS: The DNS server <IP address> on <adapter name> must be able to resolve names in the primary DNS domain zone
- DNS: The DNS server <IP address> on <adapter name> must resolve Global Catalog resource records for the domain controller
- DNS: The DNS server <IP address> on <adapter name> must resolve Kerberos resource records for the domain controller
- DNS: The DNS server <IP address> on <adapter name> must resolve LDAP resource records for the domain controller
- DNS: The DNS server <IP address> on <adapter name> must resolve PDC RRs for the domain controller
- DNS: The DNS server <IP address> on <adapter name> must resolve the name of this computer
- DNS: DNS servers assigned to the network adapter should respond consistently
- DNS: Zone <zone name> master servers must respond to queries for the zone
- DNS: Zone <zone name> secondary servers must respond to queries for the zone
- DNS: Zone <zone name> master server <IP address> must respond to queries for the zone
- DNS: Zone <zone name> secondary server <IP address> should respond to queries for the zone
- DNS: Root hint server <IP address> must respond to NS queries for the root zone
- DNS: At least one name server in the list of root hints must respond to queries for the root zone
- DNS: The DNS server configured on the adapter <adapter name> should resolve the name of this computer
- DNS: Zone <zone name> is an Active Directory integrated DNS zone and must be running
Awww yeaaaahhh… just memorize that and you’ll win any "Microsoft recommended DNS" bar bets you can imagine. That’s the cool thing about this ongoing BPA project: not only do you get a tool that will check your work in later OS versions, but the valid documentation gets centralized.
- Ned “Arren hates cowboys” Pyle