For some odd reason I found myself lacking the Trust Points sub-directory on Windows Server 2016 on two of my three test domain controllers while configuring DNSSEC. Why? I have no idea. All three were deployed with the same image and I’ve configured all three side-by-side.
The fix (for me)?
I re-ran this elevated command on the two DC’s and Trust Points automagically appeared:
DnsCmd.exe [server name here] /Config /enablednssec 1