Create DNS zones in internal DNS servers to fight some obvious Web ads.
Use OpenDNS (www.opendns.com) DNS servers as forwarders, to add an extra layer of security.
Block the exact DNS protocols (UDP, TCP, or both) on the edgeâ€”the firewallâ€”and on the server. Also, lock down the DNS server. Iâ€™ve found Windows Server 2003 SP1â€™s security configuration wizard very useful for these two tasks.
Use Active Directory (AD)â€“integrated zones and secure dynamic updates.
Restrict DNS replication only to the necessary DNS servers.
Implement split DNS, if applicable.
Use DNSstuff (www.dnsstuff.com) to get useful additional informationâ€”also helpful for troubleshooting.
Get rid of NetBIOS over TCP and WINS. (Windows Server 2008 has a special DNS zone that eliminates the need for a WINS server.)
Whether you’re on Windows Server 2003 and eyeing the impending end of support, or your Active Directory is running a newer version of Windows Server, there is a ton of new functionality available as you migrate to Windows Server 2012 R2. Join Brian Desmond for 3 technical sessions that will walk you through all the new Active Directory features in Windows Server 2012 and Windows Server 2012 R2.