These are my best practices when it comes to setting up DNS and DHCP at a new customer site. Of course, many settings are on case-by-case basis, but this is where I start. Feel free to comment if you have any suggestions!
First, there are some basics which I probably don’t need to mention, but here goes…
Setup (at least, depending on your setup) two DNS-servers.
As for zone settings, I setup:
Rest of the tabs are quite self explanatory. Make sure to don’t allow zone transfers if you really don’t need to and I try to talk every client into NOT using WINS what-so-ever.
Basically what this means is that it will DELETE records if they are considered older than what you specify here. This is of course nice to keep your zone clean and current and make sure name lookups work correctly, but beware that some records might get deleted that is needed.
But what about manually added records? Like your intranet.domain.com CNAME record? Well, (from this KB) records that you add manually, a time stamp value of zero is used, indicating that they are not affected by the aging process and can remain without limitation in zone data unless you otherwise change their time stamp or delete them.
Notice that you need to enable DNS aging/scaveging on both the DNS server and on the zone.
As for forwarders for external lookups, I tend to use any internal / DMZ server they might have setup for external lookups and for redundancy you can use their ISP DNS or even Google ones (18.104.22.168 and 22.214.171.124).
If you have the possibility, the DHCP service can be clustered. Otherwise, DHCP-Redundancy is free and easy to use. Otherwise, if you keep the lease time quite long, most clients will continue to work if the DHCP server goes down, however, new clients will not get an IP. Once DHCP is installed, I usually configure the DNS the following way:
This makes sure that non-Windows clients (Linux, printers, whatever) gets registered in the DNS which the customer usually wants. The Discard… part makes sure they get deleted once the lease runs out since it’s very common they have roaming users, guests and whatnot and you really want to get rid of those DNS-records after they’ve left.
Now if you go to the Advanced tab, you will see the Credentials… button.
I usually create a dedicated Domain User (non-admin) account in the domain and put here. This is best practice, especially if you run the DHCP service on a Domain Controller. Why? It’s quite well described in KB816592 – to prevent the server from inheriting, and possibly misusing, the power of the domain controller. When the DHCP Server service is installed on a domain controller, it inherits the security permissions of the domain controller. The service also has the authority to update or delete any DNS record that is registered in a secure Active Directory-integrated zone. (This includes records that were securely registered by other Windows 2000-based or Windows Server 2003-based computers, and by domain controllers.).
Speaking on the subject of the KB above, I also keep DnsUpdateProxy group empty.
When it comes to each scope settings, they are pretty straightforward. I tend to keep client site’s lease time quite long and server lease time quite short (since they are usually only used temporary to install servers with PXE). The DNS settings are set the same as above.
If you in the DNS console open a A-record and the Security tab you’ll see that when a computer runs DHCP, the user you configured for “DNS dynamic updates registration credentials” will be the user with “Write” permission. If you have a computer runs a static IP, the actual computer account, COMPUTERNAME$, will have “Write” permission. This might cause problems if you have a computer with static IP-adress and you re-install it, the new computer will not have write access and therefore not be able to change the DNS record. Keep that in mind when you provision your servers.
Please feel free to comment as I’m always looking for improvements 🙂