Domain Name System (DNS)

• Domain Controllers should have only one active network interface unless they are part of a properly configured team. All other interfaces should be in a disabled state.   
• The active interface should have only a single IP address assigned.  
• In a single Domain Controller environment the preferred DNS server IP address should be set to its own IP address, no secondary or tertiary DNS servers should be assigned. 127.0.0.1 is acceptable as a primary server IP address.
• When additional domain controllers are present, the preferred DNS server should be the IP address of a different domain controller for the domain. The secondary DNS server should be the IP address of the domain controller you are configuring. Tertiary DNS IP addresses can be added but are generally not necessary and should only be IP addresses of other domain controllers.
• IPv6 should remain enabled. It is against Microsoft best practices to disable IPv6 on a domain controller. IPv6 configuration is beyond the scope of this document but generally the default configuration is acceptable.

• All settings should remain default unless specified below.
• Forwarders should be set to a public DNS server IP address. Typically these are set to your ISP’s DNS server IP addresses. OpenDNS name servers would be another acceptable forwarder. Avoid unfamiliar DNS servers susceptible to DNS cache poisoning attacks.
• Ensure automatic scavenging is enabled. The default of 7 days is generally sufficient.

Reverse DNS zones (sometimes referred to as an inverse address lookup or in-addr.arpa zone) provide lookup information to devices trying to obtain the DNS name of a machine from a corresponding IP address. Just like forward lookup zones provide hostname to IP address mapping, reverse DNS zones provide IP address to hostname mapping.  

• Reverse DNS zones may need to be manually created. A reverse zone should be created for every IP subnet that contains devices. A wizard is provided to assist in the creation of the reverse lookup zone.
• Verify scavenging is enabled on each reverse lookup zone. Seven days is the default interval and is acceptable in most scenarios.
• Any non-Windows devices that have static IP addresses assigned should have reverse DNS records created in their respective reverse DNS zone. For example, if you assign the IP address 192.168.0.10 to a printer name printer1 in the domain.local domain, you will need to go into the 0.168.192.in-addr.arpa zone and create a PTR record configured with the IP address of 192.168.0.10 and hostname of printer1.domain.local.

If properly setup DHCP will work with DNS to manage name registration, deletions and updates. DNS options are available at both the server level and at the scope level.  Both should be set for proper configuration.

Scope and Server Properties: