Skip to main content
Security & Cloud 24/7

Hardening guide for Windows 2008 R2 Domain Controller and DNS Server

·818 words·4 mins
Eyal Estrin
Author
Eyal Estrin
Author of Cloud Security Handbook & Security for Cloud Native Applications. Cloud Adoption & Cybersecurity expert.

This guide explains how to install and configure Domain Controller and DNS server based on Windows 2008 R2 platform, for a new forest in a new domain.

Installation phase

  1. Install Windows 2008 R2 server (either standard of enterprise edition). Important note: The first domain controller in the forest root domain must be installed on physical hardware and not as a virtual server.2. Login for the first time to the new server, using administrator account.
  2. Start -> Run -> dcpromo.exe
  3. Click Next twice -> select “Create a new domain in a new forest” -> click Next -> specify the FQDN of the new forest root domain -> click Next -> on the forest functional level, choose “Windows Server 2008 R2” -> click Next -> leave “DNS server” select and click Next -> click “Yes” on the warning message -> choose a location for the database, logs and sysvol folders -> click Next -> specify complex password for the Directory Services Restore Mode administrator password (and document the password) -> click Next twice -> select “Reboot on completion”.
  4. Allow the server to restart when the installation process completes.
  5. Login to the new domain controller for the first time using domain administrator account.
  6. Start -> Run -> cmd.exe
  7. Write the commands bellow to synchronize the PDC emulator with external reliable time source: w32tm /config /computer:<> /manualpeerlist:time.windows.com /syncfromflags:manual /update exit
  8. Start -> Administrative Tools, right-click Active Directory Module for Windows PowerShell, and then click Run as administrator.
  9. Write the commands bellow to protect all OUs in the domain from accidental deletion: import-module activedirectory Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $true exit
  10. Server Manager -> right click on Features -> Add Features -> select “Windows Server Backup Features” -> click Next -> click Install -> click Close.
  11. Start -> Administrative Tools -> Windows Server Backup -> from the Actions pane, click on “Backup Schedule” -> click Next -> choose “Full server” -> Specify a backup time -> click Next -> click the check box for your destination disk -> click Next -> click Yes to confirm that the destination disk will be reformatted -> verify the label for the destination disk -> click Next -> verify the information on the Summary page -> click Finish -> On the Confirmation page -> click Close.
  12. Server Manager -> expand Roles -> expand DNS Server -> expand DNS -> expand the server name -> right click on “Reverse Lookup Zones” -> New Zone -> click Next -> choose “Primary zone” -> leave “Store the zone in Active Directory” checked -> click Next -> select “To all DNS Servers running on domain controllers in this forest” -> click Next -> choose “IPv4 Reverse Lookup Zone” -> click Next -> on the “Network ID” field, put the first 3 octats of the network segment the Domain controller resides in -> click Next -> select “Allow only secure dynamic updates” -> click Next -> click Finish.
  13. Perform the above step for all other network segments reside in your organization.
  14. From the left pane, expand the server name -> expand “Forward Lookup Zones” -> right click on each zone name -> Properties -> Name Servers tab -> make sure all Windows 2008 R2 DNS servers appear on this list (assuming you have installed more Windows 2008 R2 domain controllers with DNS service) -> Zone Transfers tab -> select “Allow zone transfers” -> select “Only to servers listed on the Name Servers tab” -> click OK.
  15. Perform the above step for all other “Forward Lookup zones” and “Reverse Lookup zones” in your forest.

IPv6 DNS settings

  1. In-order to configure IPv6 address for the DNS server, start -> Control Panel -> under “Network and Internet”, click on “View network status and tasks” -> click “Change adapter settings” -> right click on the relevant “Local Area Connection” icon -> Properties -> click on “Internet Protocol Version 6 (TCP/IPv6) -> Properties -> select “Use the following IPv6 address” -> if you are not familiar with IP addressing, you can use 2001:0db8:29cd:1a0f:857b:455b:b4ec:7403 -> enter a Subnet prefix length of 64 -> click OK -> click close.
  2. Server Manager -> expand Roles -> expand DNS Server -> expand DNS -> expand the server name -> expand “Reverse Lookup Zones” -> right click on “Reverse Lookup Zones” -> New Zone -> click Next -> choose “Primary Zone” -> click Next -> choose “To all DNS servers running on domain controllers in this forest” -> click Next -> choose “IPv6 Reverse Lookup Zone” -> click Next -> on the “IPv6 Address Prefix” field type the IPv6 subnet prefix (in this example: 2001:0db8:29cd:1a0f::/64) -> click Next -> select “Allow only secure dynamic updates” -> click Next -> click Finish.
  3. Right click on the new “Reverse Lookup Zone” -> properties -> Zone Transfers tab -> select “Allow zone transfers” -> select “Only to servers listed on the Name Servers tab” -> click OK.