Name Your Active Directory properly
I've written about this before. If your company website is example.com, the FQDN of the Active Directory should be in the form of ad.example.com, corp.example.com, or another third-level subdomain of the existing publicly used DNS. Avoid using example.com internally and externally. Also avoid making up a TLD like .local or .lan. During promotion of the first DC in a domain, consider setting the NetBIOS name to EXAMPLE instead of the default value, so that users see EXAMPLE\user instead of the ambiguous AD\user or CORP\user. You only get one chance to set the NETBIOS name, so consider it carefully. It's non-trivial to change.
Create alternate UPN suffixes
I always tell users to "log into everything with your email address." Creating and assigning alternate UPN suffixes that match this allows this to work seamlessly. Also, having publicly reachable top-level suffixes like @example.com instead of @ad.example.com helps make integration with Office 365, Intune, and other Azure-based cloud services from Microsoft easier. It also makes Exchange Address Policies a snap to configure when you have multiple email domains in your Exchange organization, since you can filter on UPN suffix now and match it to a sending domain.
Set PDC Emulator to sync from an external time source
The Domain Controller with the PDC Emulator role is the one true source of time for your domain. All other Domain Controllers sync their time from it, and all client machines sync their time from the domain controller that they log into. It's important that time is consistent across your enterprise. The example below will sync it from some ntp.org pools, which are very reliable. If you already have a device on your network, like a core switch, offering reliable NTP, then you can replace all of the items in the manual peer list with those devices.
w32tm /config /update /manualpeerlist:"0.pool.ntp.org,0x8 1.pool.ntp.org,0x8" /syncfromflags:MANUAL
If you're not sure which DC has the PDC Emulator role, log into one of them and run netdom query fsmo at the command prompt. It will return a list of each FSMO role and which server currently holds it.
Set DNS Server Search order correctly on network adapters for DCs:
127.0.0.1 should be in the list and should be last. Each DC in a site should use another DC from that site as the primary. If there are more than two DCs in a site with DNS installed, then one of the other DCs should be primary, the other secondary, and 127.0.0.1 should be the tertiary. For example:
DC01's IP address is 10.1.1.1
DC02's IP address is 10.1.1.2
Both are DNS servers.
DC01's network adapter should be configured so that 10.1.1.2 is the primary and 127.0.0.1 is the secondary. This prevents replication islands from occurring in specific circumstances.
Enable the AD Recycle Bin.
The AD Recycle Bin requires you to have a 2008 R2 Forest Functional Level, which means that you can never make a machine that is older than 2008 R2 into a Domain Controller. If this isn't an issue for you, then you should enable it. It allows for item-level recovery of deleted objects like user or computer accounts. It's a life saver.
–Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory
–Scope ForestOrConfigurationSet –Target ‘ad.example.com’
Redirect newly created users and computers to a different default container
When you join a computer to a domain and there isn't a pre-existing computer account with the same name, you'll notice that it gets put into the default Computers container. Since Computers is not an OU, you can't link Group Policy to it. User accounts are placed in a similar Users container, as well. This can happen when creatings users from the Exchange Management Console, New-ADUser PowerShell cmdlet, or the good old net user command.
Redircmp.exe and redirusr.exe are used to redirect the default location for computers and users to the specified OU.
If you have an OU at the top level named "Company Resources" and a sub-OU named "Misc Computers" you could redirect the default location for new, unspecified computers to Misc Computers by running:
redircmp "OU=Misc Computers, OU=Company Resources, DC=ad, DC=example, DC=com"
This will allow you to have a basic set of Group Policies apply to these computers and users without having to link them at the domain level.
Following these guidelines should get your new AD off on the right foot and set you up for success down the road.