DNSSEC Trust Points Missing RRS feed

  • שאלה

  • I am configuring DNSSEC on our on-premise 2012 R2 DCs. Currently if DNSSEC is enabled, we begin to receive 

    If I run Resolve-DnsName www.bing.com -DnssecOk -server localhost it returns the query with no errors.

    However, when I run  Get-DnsServerTrustAnchor -name mydomainname.com
    Error: Get-DnsServerTrustAnchor : Failed to enumerate the trust anchors for the input trust point mydomainname.com on server MYDC01.

    When I run this dnscmd /retrieveroottrustanchors
    Error: Command failed:  DNS_ERROR_INVALID_ZONE_OPERATION     9603    0x2583

    The "Trust Points" folder/container is not present in the DNS Console.

    יום רביעי 05 דצמבר 2018 19:06

כל התגובות

  • Have you made sure that DNSSEC is actually enabled?

    Get-DnsServerSetting -All | fl EnableDnsSec

    יום רביעי 19 דצמבר 2018 16:28
  • I was able to get the Trust Point folders to appear and then enable DNSSEC by issuing this command:

    DnsCmd.exe [server name here] /Config /enablednssec 1

    However, I still get the error when I run this dnscmd /retrieveroottrustanchors
    Error: Command failed:  DNS_ERROR_INVALID_ZONE_OPERATION     9603    0x2583

    יום רביעי 19 דצמבר 2018 23:16
  • I'm stuck at the same problem. Wondering if this is caused by our second domain server running Windows Server 2008 (without R2) that doesn't support DNSSEC.

    Does this setting apply to your domain as well?

    יום שישי 21 דצמבר 2018 13:02
  • I am trying to run DNSSEC resolver on WS2019 after finding WS2008R2 cannot do that now. Same error 9603 0x2583 and missing anchors folder. I also tried to set it up on other servers 2012 and 2016, some of them migrated from older ones, some of them freshly installed. I succeeded just twice with fresh 2012R2Foundation and migrated 2012.

    Any progress?

    יום רביעי 10 יולי 2019 16:38
  • I had exactly the same issue. I found this entry in the Event Log >> Applications and Services Logs >> DNS Server.

    The DNS server has invalid or corrupted registry parameter PublishAddresses.  To correct the problem, you can delete the applicable registry value, located under DNS server parameters in the registry.  You can then recreate it using the DNS console.  For more information, see the online Help.

    After reviewing the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters values, the PublishAddresses indeed contained an old no longer used IP address of the server. I fixed it in the registry, ran dnscmd /config /enablednssec 1 (which set EnableDnsSec value to 1).

    Afterwards, I have restarted the DNS Server service and DNSSEC started to work. Now, the dnscmd /retrieveroottrustanchors succeeded.

    • נערך על-ידי Rozi יום שני 14 אוקטובר 2019 18:15
    יום שני 14 אוקטובר 2019 18:07