none
DNSSEC windows 2012 r2 RRS feed

  • Question

  • Hi,

    I have two windows 2012 r2 DC ( Main and secondary) and one exchange 2013 server.

    I have sign one of the zone in the Main DC, and saw that it was encrypted.

    However, when i go to secondary DC and exchange server DNS, i do not see the same encryption.

    Is it suppose to be like so or do i have to do more configurations?

    Also, do i have to inform my registrar about my DNSSEC?

    Thank you

    Tuesday, May 3, 2016 4:00 AM

Answers

  • Hi Frustrated IT,

    I tested it just now, if you create secondary DNS zone for sec.test.com on DNS server, the zone will also be signed:

    If the zone is not signed on your lab, check if you have imported the trust points into the DNS server, check here:

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.


    Friday, May 13, 2016 9:38 AM
    Moderator

All replies

  • Hi Frustrated IT,

    According to your description, you are configuring DNSSEC. Here is a Demonstration of DNSSEC in a test lab. It might be of help to you:

    Step-by-Step: Demonstrate DNSSEC in a Test Lab:

    https://technet.microsoft.com/en-sg/library/hh831411.aspx

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, May 4, 2016 6:34 AM
    Moderator
  • Hi Anne,

    Thanks for the reply

    Yes i was using this link you indicated as a reference,

    However, my forward lookup zone in my dns server does not have the "keypad lock"but my DC server has.

    Am i missing something here?

    Thursday, May 5, 2016 1:35 AM
  • Hi Frustrated,

    What does "keypad lock" mean? Which step do you meet issue?

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, May 10, 2016 2:50 AM
    Moderator
  • https://i-technet.sec.s-msft.com/dynimg/IC564579.jpeg

    The above image :  at sec.contoso.com there is a "pad lock" to show that it is encrypted.

    My DC server has the "pad lock"

    My DNS server after propogated over from my DC's DNS server does not show the "pad lock"

    Tuesday, May 10, 2016 9:01 AM
  • Hi Frustrated IT,

    If you follow the steps in the document above, then you may get the result as above:

    Here is the screenshot for sec.test.com on DC1:

    Here is the screenshot for sec.test.com on DC2:

    As for the standalone DNS server, it is a cache only DNS server, so it do not hold any zones, it only cache records.

    If you do not see the zone is signed on DC2, then check the following things:

    1. Verify if the zone type of "sec.test.com" is AD-integrated zone, so that it can replicate between DCs;

    2. Check if you have configure it on DC1:

    • On DC1, in the DNS Manager console tree, navigate to Forward Lookup Zones > sec.test.com.

    • Right click sec.test.com, point to DNSSEC, and then click Properties.

    • Click the Trust Anchor tab.

    • Select the Enable the distribution of trust anchors for this zone checkbox, and then click OK.

    • When you are prompted to confirm changes to the zone, click Yes.

    • When you are prompted that configuration was successful, click OK.

    After configuring it, we need to wait for a minute for DC replication. Then refresh DNS on DC2.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Friday, May 13, 2016 8:56 AM
    Moderator
  • Hi Anne,

    Thank you for your help. 

    But the instruction you shown me is for DC1 and DC2 right?

    Both my DC1 and DC2 has the "pad lock"

    from your instruction : As for the standalone DNS server, it is a cache only DNS server, so it do not hold any zones, it only cache records."

    Does this means that it is normal for my DNS server to not have the "pad lock" ?

    The DNS server shows all the records in DC1.

    Thank you so much once again

    Friday, May 13, 2016 9:04 AM
  • Hi Frustrated IT,

    Could you provide a screenshot on your DNS server? Since in my lab, my standalone DNS server do not own any zones.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Friday, May 13, 2016 9:08 AM
    Moderator
  • http://www.tiikoni.com/tis/view/?id=c366ac1
    Friday, May 13, 2016 9:30 AM
  • Hi Anne,

    The link is the image of my DNS server. It is a exchange server as well.

    My DNS server has a secondary zone so it will get information from my DC server.

    Is it how it suppose to look like?

    Thanks !

    Friday, May 13, 2016 9:31 AM
  • Hi Frustrated IT,

    I tested it just now, if you create secondary DNS zone for sec.test.com on DNS server, the zone will also be signed:

    If the zone is not signed on your lab, check if you have imported the trust points into the DNS server, check here:

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.


    Friday, May 13, 2016 9:38 AM
    Moderator
  • From my screen shot, my zone looks the same as yours

    Showing all the encrypted keys without the "pad lock"

    Thank you for your help

    Friday, May 13, 2016 9:42 AM