Procedure: Review Name Resolution Policy Settings

 

Applies To: Windows Server 2012 R2, Windows Server 2012

Use the following procedures to verify name resolution policy settings on a DNS server and a DNS client using Windows PowerShell. When you have completed the procedures in this topic, return to the parent checklist.

For information about configuring name resolution policy settings, see The NRPT.

Name resolution policy settings can only be applied to computers that are security-aware. For more information about security-aware computers, see Security-aware client.

Use the following procedures to review NRPT configuration and name resolution policy:

Review NRPT configuration

Name resolution policy is configured in the NRPT, either in domain Group Policy, local Group Policy, or both. The NRPT can be configured to require or not require that DNSSEC validation be performed for DNS queries within a given namespace.

Membership in the Administrators group, or equivalent, is the required minimum to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To review NRPT configuration

  1. Open an elevated Windows PowerShell prompt on a computer with the Group Policy Management feature installed.

  2. To view a list of Group Policy Objects (GPOs) in the domain, use the Get-GPO cmdlet, as shown in the following example.

    PS C:\> Get-GPO -All -DomainName contoso.com | fl -Property DisplayName,GpoStatus
    
    DisplayName : Default Domain Policy
    GpoStatus   : AllSettingsEnabled
    
    DisplayName : Default Domain Controllers Policy
    GpoStatus   : AllSettingsEnabled
    
    DisplayName : NRPT_settings
    GpoStatus   : AllSettingsEnabled
    

    In the previous example, the Format-List (fl) parameter is used to display only the DisplayName and GpoStatus properties. The NRPT_settings GPO is a custom GPO that is created in this example to contain all name resolution policies for the domain. This GPO name is only an example. GPO names for your domain will be different. The example GPO is used in the following example.

  3. To review name resolution policy settings in a GPO, use the Get-DnsClientNrptRule cmdlet, as shown in the following example.

    PS C:\> Get-DnsClientNrptRule -GpoName contoso.com\NRPT_settings
    
    Name                             : Rule1
    Version                          : 1
    Namespace                        : {.secure.contoso.com}
    IPsecCARestriction               :
    DirectAccessDnsServers           :
    DirectAccessEnabled              : False
    DirectAccessProxyType            :
    DirectAccessProxyName            :
    DirectAccessQueryIPsecEncryption :
    DirectAccessQueryIPsecRequired   :
    NameServers                      :
    DnsSecEnabled                    : True
    DnsSecQueryIPsecEncryption       :
    DnsSecQueryIPsecRequired         : False
    DnsSecValidationRequired         : True
    NameEncoding                     : Disable
    DisplayName                      :
    Comment                          :
    

    In the previous example, the secure.contoso.com namespace displays True next to DnsSecValidationRequired, which means that all DNS clients that are security-aware, and that have this GPO applied, will require that queries for the secure.contoso.com zone are validated.

Review effective name resolution policy

Although a GPO can be configured with NRPT settings, these settings do not affect a DNS client unless they are correctly applied. To verify that settings are applied, review the effective name resolution policy.

Membership in the Administrators group, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To review effective name resolution policy

  1. Open a Windows PowerShell prompt on a DNS client computer.

  2. To review effective name resolution policy, use the Get-DnsClientNrptPolicy cmdlet. See the following example.

    PS C:\> Get-DnsClientNrptPolicy -Effective
    
    Namespace                        : .secure.contoso.com
    QueryPolicy                      : QueryIPv6Only
    SecureNameQueryFallback          : FallbackPrivate
    DirectAccessIPsecCARestriction   :
    DirectAccessProxyName            :
    DirectAccessDnsServers           :
    DirectAccessEnabled              : False
    DirectAccessProxyType            :
    DirectAccessQueryIPsecEncryption :
    DirectAccessQueryIPsecRequired   :
    NameServers                      :
    DnsSecIPsecCARestriction         :
    DnsSecQueryIPsecEncryption       :
    DnsSecQueryIPsecRequired         : False
    DnsSecValidationRequired         : True
    NameEncoding                     :
    

    In the previous example, True is displayed next to DnsSecValidationRequired for the secure.contoso.com namespace, which means that DNSSEC validation will be required for DNS queries in the secure.contoso.com zone. Output from the Get-DnsClientNrptPolicy cmdlet also includes any name resolution policy that might be configured in local Group Policy.

See also

DNSSEC in Windows

DNSSEC Deployment Planning