Enable protection for DNS records marked as protected (prevents dynamic updates overwriting them).
Enable ACL for recursive queries.
Mark all RFC1918 address PTR zones as either authoritative or forwarders. This page lists Private Zones for both IPv4 and IPv6. You may want to assign other as well.
Enable DNSSEC for recursion and install root keys.
Configure internal zones in list of Negative Trust Anchors.
Enable query monitoring.
Enable forwarding of log messages to SYSLOG server.
Enable SNMP.
Create proper FQDN for GM and install proper web certificate (signed by internal PKI).
Retrict ciphers on web server on Grid Manager.
Prep Dashboards for useful summary data of Grid Members.
Enable SSH on members.
Set DHCP to use modern records to DDNS (“standard” instead of “Interim”).
Enable DNS scavending to mark dynamic DNS not queried in 90 days as reclaimable and static DNS records not quried in 365 days (mark, not delete).
Create Smart Folder to show DNS records marked as reclaimable.
Adjust user setting to show 254 rows per page instead of the default 20.
Forward Audit log to System log.
Create support account and make sure all appliances are registered, licensed and have host names noted down in the hostname column.