Configure the fabric DNS for guarded hosts (AD)

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016


AD mode is deprecated beginning with Windows Server 2019. For environments where TPM attestation is not possible, configure host key attestation. Host key attestation provides similar assurance to AD mode and is simpler to set up.

A fabric administrator needs to configure the fabric DNS takes to allow guarded hosts to resolve the HGS cluster. The HGS cluster must already be set up by the HGS administrator.

There are many ways to configure name resolution for the fabric domain. One simple way is to set up a conditional forwarder zone in DNS for the fabric. To set up this zone, run the following commands in an elevated Windows PowerShell console on a fabric DNS server. Substitute the names and addresses in the Windows PowerShell syntax below as needed for your environment. Add master servers for the additional HGS nodes.

Add-DnsServerConditionalForwarderZone -Name 'bastion.local' -ReplicationScope "Forest" -MasterServers <IP addresses of HGS server>

Next step