New DNS and AD DS BPA’s released (or: the most accurate list of DNS recommendations you will ever find from Microsoft)

Hi folks, Ned here again. We’ve released another wave of Best Practices Analyzer rules for Windows Server 2008 / R2, and if you care about Directory Services you care about these:

AD DS rules update

Info: Update for the AD DS Best Practices Analyzer rules in Windows Server 2008 R2
Download: Rules Update for Active Directory Domain Services Best Practice Analyzer for Windows Server 2008 R2 x64 Editions (KB980360)

This update BPA for Active Directory Domain Services include seven rules changes and updates, some of which are well known but a few that are not.

DNS Analyzer 2.0

Operation Info: Best Practices Analyzer for Domain Name System – Ops
Configuration info: Best Practices Analyzer for Domain Name System - Config
Download: Microsoft DNS (Domain Name System) Model for Microsoft Baseline Configuration Analyzer 2.0

Remember when – a few weeks back – I wrote about recommended DNS configuration and I promised more info? Well here it is, in all its glory. Despite what you might have heard, misheard, remembered, or argued about, this is the official recommended list, written by the Product Group and appended/vetted/munged by Support. Which includes:

• DNS: DNS servers on <adapter name> should include their own IP addresses on their interface lists of DNS servers
• DNS: IP addresses that belong to a valid range must be configured on <adapter name>
• DNS: <Adapter name> must have configured DNS servers
• DNS: Network interfaces on <adapter name> must be configured with DNS servers that belong to a valid IP address range
• DNS: <Adapter name> should be configured to use both a preferred and an alternate DNS server
• DNS: <Adapter name> should have static IPv4 settings
• DNS: IP addresses must be configured on <adapter name>
• DNS: Valid network interfaces should precede invalid interfaces in the binding order
• DNS: DNS servers on <adapter name> should include the loopback address, but not as the first entry
• DNS: If the Global Query Block List is enabled, then it should not be empty
• DNS: Cache locking should be configured to 90% or greater
• DNS: The forwarding timeout value should be 2 to 10 seconds
• DNS: The Hosts file <file name> on the DNS server should be empty
• DNS: Interface <adapter name> on the DNS server should be configured to register its IP addresses in DNS
• DNS: The DNS server must have root hints or forwarders configured
• DNS: The scavenging interval <interval value> is within the recommended range
• DNS: The DNS server should have scavenging enabled
• DNS: The scavenging interval <interval value> is not set to a recommended value
• DNS: Zone <zone name> has scavenging enabled with recommended parameters
• DNS: Zone <zone name> has record aging disabled, so scavenging will not occur
• DNS: Zone <zone name> scavenging server list should not be empty
• DNS: Zone <zone name> scavenging parameters should be set to default values
• DNS: The socket pool should be enabled with recommended settings
• DNS: The recursion timeout must be greater than the forwarding timeout
• DNS: Forwarding server <IP address> should respond to DNS queries
• DNS: At least one DNS server on the list of forwarders must respond to DNS queries
• DNS: The list of forwarding servers must not contain the link-local IP address <IP address>
• DNS: The list of forwarding servers must not contain the loopback address <IP address>
• DNS: More than one forwarding server should be configured
• DNS: Zone <zone name> master server list must not be empty
• DNS: Zone <zone name> update notification list must not be empty
• DNS: Zone <zone name> secondary servers list should not be empty
• DNS: Zone <zone name> should be present on the secondary server <IP address> configured to receive zone update notifications
• DNS: Zone <zone name> scavenging servers should host the zone
• DNS: The list of root hints must not contain the link-local IP address <IP address>
• DNS: The list of root hints must not contain the host IP address or loopback address <IP address>
• DNS: The list of root hints should contain more than one entry
• DNS: Zone <zone name> is Active Directory integrated and should be present and configured as primary
• DNS: Zone <zone name> is an Active Directory integrated DNS Zone and must be available
• DNS: Zone <zone name> is an Active Directory integrated DNS zone and must be configured as primary
• DNS: Zone <zone name> transfers from the primary to the secondary DNS server must be successful
• DNS: The DNS server <IP address> on <adapter name> must be able to resolve names in the forest root domain name zone
• DNS: The DNS server <IP address> on <adapter name> must be able to resolve names in the primary DNS domain zone
• DNS: The DNS server <IP address> on <adapter name> must resolve Global Catalog resource records for the domain controller
• DNS: The DNS server <IP address> on <adapter name> must resolve Kerberos resource records for the domain controller
• DNS: The DNS server <IP address> on <adapter name> must resolve LDAP resource records for the domain controller
• DNS: The DNS server <IP address> on <adapter name> must resolve PDC RRs for the domain controller
• DNS: The DNS server <IP address> on <adapter name> must  resolve the name of this computer
• DNS: DNS servers assigned to the network adapter should respond consistently
• DNS: Zone <zone name> master servers must respond to queries for the zone
• DNS: Zone <zone name> secondary servers must respond to queries for the zone
• DNS: Zone <zone name> master server <IP address> must respond to queries for the zone
• DNS: Zone <zone name> secondary server <IP address> should respond to queries for the zone
• DNS: Root hint server <IP address> must respond to NS queries for the root zone
• DNS: At least one name server in the list of root hints must respond to queries for the root zone
• DNS: The DNS server configured on the adapter <adapter name> should resolve the name of this computer
• DNS: Zone <zone name> is an Active Directory integrated DNS zone and must be running

Awww yeaaaahhh… just memorize that and you’ll win any "Microsoft recommended DNS" bar bets you can imagine. That’s the cool thing about this ongoing BPA project: not only do you get a tool that will check your work in later OS versions, but the valid documentation gets centralized.

- Ned “Arren hates cowboys” Pyle

Comments

• Anonymous
  August 02, 2010
  why doesn't it run on w2k8 standart edition? I don't understand this..

• Anonymous
  August 03, 2010
  The comment has been removed

• Anonymous
  August 03, 2010
  The comment has been removed

• Anonymous
  August 03, 2010
  The comment has been removed

• Anonymous
  August 03, 2010
  Hi Evren - I also just installed on Standard without issues. It's just wrong info on the download page, it works fine. I'll see about getting that updated. Next time don't be so trusting... :-P

• Anonymous
  August 03, 2010
  Hi sgrinker - and I just confirmed that there's no automatic (i.e. buggy :-P) flagging like you got; mine passed muster just fine, so the BPA is working fine on the face of things.

• Anonymous
  August 03, 2010
  The comment has been removed

• Anonymous
  August 03, 2010
  The comment has been removed

• Anonymous
  August 03, 2010
  I built an environment for this test, since I needed to see about Standard edition. That means my server was newly loaded from a sysprep image and DCPROMO was of the 'next next next' variety. :) I didn't configure IPv6 in any way, only IPv4. I am therefore registering Ipv6 only through the default ISATAP mechanism. I get four Quad A warnings too, these would be expected. Which ones do you see? You may also want to stop messing around with me and chat with our Networking team through their blog or a case. :-D

• Anonymous
  August 03, 2010
  I'm getting the same Quad A warnings here.  Thanks, but I think I'm good for now.  :)  I'm not exactly ready to justify the $250 per incident based on a message from the BPA utility.  Everything else that I've checked comes back healthy.  If we start getting reports of strange things going on though, that is definitely the first direction I'll be heading.  Thanks for the help and feedback just to verify what I'm seeing over here from the new utility!  For now I'll leave you alone.  ;)

• Anonymous
  August 04, 2010
  If there is anyone out there that actually cares yet :)  I'm fairly certain that I found the problem.  The _msdcs zone is a sub-zone of our primary domain, as the domain has been upgraded from 2000 to 2003 to now 2008 over the years.  The BPA appears to be looking for a root/forest bases _msdcs zone, or at least is looking for NS records within the _msdcs zone.  Based on our configuration the sub-zone doesn't have the NS records.  For anyone that is insterested in more information... support.microsoft.com/.../817470

• Anonymous
  August 04, 2010
  The comment has been removed

• Anonymous
  August 04, 2010
  Awesome catch sgrinker! A good example of being punished for being an early adopter... :)

• Anonymous
  August 04, 2010
  The comment has been removed

• Anonymous
  August 04, 2010
  The comment has been removed

• Anonymous
  August 04, 2010
  The comment has been removed

• Anonymous
  August 04, 2010
  BTW, AFAIK you can safely delete the “domain-nested” _msdcs zone. And re-create it as a separate (root-based) zone. And if everything goes right it will be filled up automatically. I didn't do this for a long time, but hope I remember it correctly. Right?

• Anonymous
  August 12, 2010
  The MBCA tool should work on Windows Server 2008 Standard Edition, Thanks for your feedback Evren, We have updated the download page with additional build information.

• Anonymous
  August 13, 2010
  Thanks for the feedback Evren. Updated the download site with the list of supported supported WS08 OS versions. www.microsoft.com/.../details.aspx

• Anonymous
  January 09, 2011
  The comment has been removed