Windows Server 2012: DNSSEC
Windows Server 2012: DNSSEC
// Server: Adatum.com
// DNS Server: LON-DC1
1) [Server Manager} > Tools > DNS > Forward Lookup Zones > right-click Adatum.com > DNSSEC > Sign the Zone > (x) Customize zone signing parameters > (x) The DNS server LON-DC1 is the key master > under Key Signing Key (KSK), ADD > click OK > (x) NSEC3 > (x) Enable the distribution of Trust Anchors for this zone > next > Finish
2) [Server Manager} > Tools > Group Policy Management > Forest: Adatum.com > Domains > Adatum.com > right-click Default Domain Policy > Edit >
2) i) Group Managmenrt Policy Editor > Computer Configuration > Policies > Windows Settings > Name Resolution Policy > NRPT - Suffice: Adatum1.com > Enable DNSSEC in this rule > (x) Require DNS clients to check that name and address data has been validated > Create
// Note: If you're using Windows Server 2012, the DNS server config dialogue: has an option "Enable DNSSEC validation for remote responses":
// Note: this option is missing in Windows Server 2016:
// Therefore, to enable DNSSEC validation on Windows Server 2016:
// DnsCmd.exe /Config /enablednssec 1
// Server: Adatum.com
// DNS Server: LON-DC1
1) [Server Manager} > Tools > DNS > Forward Lookup Zones > right-click Adatum.com > DNSSEC > Sign the Zone > (x) Customize zone signing parameters > (x) The DNS server LON-DC1 is the key master > under Key Signing Key (KSK), ADD > click OK > (x) NSEC3 > (x) Enable the distribution of Trust Anchors for this zone > next > Finish
2) [Server Manager} > Tools > Group Policy Management > Forest: Adatum.com > Domains > Adatum.com > right-click Default Domain Policy > Edit >
2) i) Group Managmenrt Policy Editor > Computer Configuration > Policies > Windows Settings > Name Resolution Policy > NRPT - Suffice: Adatum1.com > Enable DNSSEC in this rule > (x) Require DNS clients to check that name and address data has been validated > Create
// Note: If you're using Windows Server 2012, the DNS server config dialogue: has an option "Enable DNSSEC validation for remote responses":
// Note: this option is missing in Windows Server 2016:
// DnsCmd.exe /Config /enablednssec 1
Comments
Post a Comment