For some odd reason I found myself lacking the Trust Points sub-directory on Windows Server 2016 on two of my three test domain controllers while configuring DNSSEC. Why? I have no idea. All three were deployed with the same image and I’ve configured all three side-by-side.
The annoying part: even after zone signing on the FSMO role holder DC1 and ensuring propagation throughout the test domain, DNSSEC still reported as not enabled on two of the three DCs.
The fix (for me)?
I re-ran this elevated command on the two DC’s and Trust Points automagically appeared:
DnsCmd.exe [server name here] /Config /enablednssec 1