Get:
- ADI Zones (Type, Dynamic Update Configuration)
- Conditional Forwarder Auditing
- Dangling SPNs
- DHCP Dynamic Update service account
- DnsAdmins Membership
- DnsUpdateProxy Membership
- Forwarder Configuration
- Global Query Block List (GQBL)
- Name Protection Configuration on DHCP servers
- Non-ADI Zone Auditing
- Query Resolution Policies
- Security Descriptors
- Socket Pool Configuration
- Tombstoned DNS Records
- Wildcard Record
- WPAD Record
- Zone Scopes
- Zone Scope Containers
Test:
- ADI Zones (Legacy vs. non-Legacy)
- ADI Zones (Secure vs. non-Secure)
- Conditional Forwarder Auditing - Unnecessary
- Dangling SPNs - Unnecessary
- DHCP Dynamic Update service account
- DnsAdmins Membership - Unnecessary
- DnsUpdateProxy Membership - Unnecessary
- Duplicate Zone Names
- Forwarder Configuration
- Global Query Block List (GQBL)
- Name Protection Configuration on DHCP servers
- Non-ADI Zone Auditing - Unnecessary
- Query Resolution Policies - Unnecessary
- Security Descriptor (ACEs)
- Security Descriptor (Ownership)
- Socket Pool Configuration
- Tombstoned DNS Records - Unnecessary
- Wildcard Record - Check if correct type for forest
- WPAD Record - Check if correct type for forest
- Zone Scopes - Unnecessary
- Zone Scope Containers
Repair
- ADI Zones (Legacy => Non-Legacy)
- ADI Zones (Non-Secure => Secure)
- Dangling SPNs (Delete)
- DHCP Dynamic Update service account
- DnsAdmins Membership
- DnsUpdateProxy Membership
- Forwarder Configuration
- Global Query Block List (GQBL)
- Non-ADI Zone Auditing
- Query Resolution Policies
- Socket Pool Configuration
- Tombstoned DNS Records
- Weird DACLs
- Wildcard Record
- WPAD Record
- Zone Scope Auditing
Planned Improvements
- DHCP (Name Protection/Service Account) checks in any forest