An Engineers Notebook

Configuring DNSSEC in Active Directory DNS

Aim: To enable DNSSEC on an Active Directory Intergrated zone

1.Go to DNS Manager > Right click on Zone > DNSSEC > Sign the Zone 

2. Select the default settings option > click next.

3.Go back to DNS Manager > Right click zone > DNSSEC > Properties

4. Trust Anchor Tab > Click the checkbox “Enable the destination of trust anchors for this zone” > Click Apply/OK.

5. Click yes on this prompt

6. And OK on this prompt 

7. Go to Group Policy Manager > Create / Amend a Policy and configure the following:

Computer Configuration > Policies > Windows Settings > Name Resolution Policy.

Enter you domain and check “Enable DNCSEC in this rule” and “Require DNS clients to check that name and address data has been validated by the DNS server”. Remember to APPLY the policy


8. To test, GPUpdate /force and reboot.

Run netsh namespace show policy

This will verify that DNSSEC is enabled.

Leave a Reply

Your email address will not be published.