0/1 Lessons

Course Introduction

• 10min

0 / 2 lessons complete

DNS Basics

• 1hr 16min

0 / 8 lessons complete

DNS Resource Records

• 46min

0 / 5 lessons complete

DNS Zones

• 3hr 41min

0 / 12 lessons complete

DNS Delegation

• 50min

0 / 4 lessons complete

DNS Security Techniques

• 36min

0 / 5 lessons complete

Advanced DNS Topics

• 22min

0 / 5 lessons complete

DNS Security (DNSSEC)

• 1hr 16min

0 / 6 lessons complete

DNS Policies

• 54min

0 / 6 lessons complete

PowerShell for DNS

• 1hr 27min

0 / 6 lessons complete

Troubleshooting DNS Issues - Troubleshooting Tools

• 1hr 39min

0 / 8 lessons complete

Installing DNSSEC on Windows 2016 Server


Q&A (0)

Notes (0)

Resources (1)

Saving Progress...

Notes can be saved and accessed anywhere in the course. They also double as bookmarks so you can quickly review important lesson material.

Create note

In this Video we will: 

  • We will demonstrate a step-by-step hands on installation of Windows DNS Security.
  • We will define technical terms you will need as we progress through the installation.
  • At the completion of this lecture you will gain valuable-work related knowledge and experience by utilizing and implementing the steps given in this lecture.

Prerequisites: You must have access to or have installed in your lab the following: 

  • One Windows 2016 Server with Active Directory installed and promoted to a domain controller (DNS installs automatically).
  • Or a VM with the identical configuration. 
  • Don’t forget to download the supplemental information that I have supplied with this lecture. 

Adequate permissions will be needed.

  • To configure a DNS server that is running on a domain controller, you must be a member of the DNS Administrators, Domain Administrators, or Enterprise Administrators group.

Windows DNSSEC Installation 

Open Server Manager, tools, DNS, double click on the forward lookup zone. In this case I right click DNS.COM, highlight DNSSEC, then click Sign the Zone.

The Zone signing Wizard is displayed, click next 

First we will use the default settings then go back and customize the signing options to give you a more thorough understanding of the installation.

Choose the default settings, click next, next again, then finish. From the DNS manager press F5. A lock is displayed on our zone telling us that our zone has been signed.  

Click on DNS.COM and view all the new records displayed. Right click on the Zone (DNS.COM) highlight DNSSEC and you will see “Unsign the Zone”. This also shows that the zone has been signed. Click Unsign the Zone, click Next, then finish. Click F5, Now the zone has been unsigned and there are fewer records in the zone.

Now let’s go back to the Zone Signing wizard and explore the Custom installation. right click DNS.COM, highlight DNSSEC, click sign the Zone, click next.

This time choose the Customize zone signing parameters, click next

Key Master: Choose the Key Master for this Zone

What is a Key master? It is a starting point for creating the keys – public and private. These keys are a matched pair. Data that is digitally signed with one of these keys can be verified with the other key. If the data was encrypted with the public key the private key can decrypt the data. If the data was encrypted with the private key the public key can decrypt the data. The key master is the originator of these keys. The key master must be the Primary for the Zone. These keys form the basis of what is usually called Public Key encryption, or asymmetric encryption.

In this case select the DNS server SVR-US-DNS1 for the key master. 

Click next 

[Key signing key or (KSK)] – The KSK starts the process for the chain of keys that secure DNS It is also used to sign the DNSKEY records in the zone. Only one is necessary unless you have.

  • Client computers that are able to only understand a certain type of encryption.  
  • You are merging different organizations that have different KSK’s  

The KSK is an authentication key that corresponds to a private key. The public key of a KSK is used as a trust anchor for validating DNS responses.

Click next, then add 

Generate new Keys 

You can select pre-generated keys if you prefer or you can generate new signing keys. We will select Generate new key signing keys

Key Properties  

Server Academy Members Only

Sorry, this lesson is only available to Server Academy Full Access members. Become a Full-Access Member now and you’ll get instant access to all of our courses.

0 0 votes
Lesson Rating
Notify of
profile avatar
Inline Feedbacks
View all comments