Windows 2016 DNS SEC - Zone Load Sign Failure

Microsoft.Windows.DNSServer.2016.Rules.DNSSEC.LoadSignFailure (Rule)

This rule checks for Load Sign failure in zone in Windows Server 2016

Knowledge Base article:


The DNS server encountered an error signing zone during load. The administrator should review the zone configuration.


The DNS server encountered an error signing zone during load. The administrator should review the zone configuration. Please check if the signing keys are accessible.

Element properties:

Alert GenerateTrue
Alert SeverityError
Alert PriorityNormal
Alert Message
Windows 2016 DNS SEC - Zone Load Sign Failure
The DNS server encountered Load Sign failure in the Zone {1} in Server {0}
Event LogDNS Server

Member Modules:

ID Module Type TypeId RunAs 
DS DataSource Microsoft.Windows.EventProvider Default
Alert WriteAction System.Health.GenerateAlert Default

Source Code:

<Rule ID="Microsoft.Windows.DNSServer.2016.Rules.DNSSEC.LoadSignFailure" Enabled="true" Target="Microsoft.Windows.DNSServer.2016.Zone" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">
<DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">
<LogName>DNS Server</LogName>
<XPathQuery Type="String">Params/Param[1]</XPathQuery>
<Value Type="String">$Target/Property[Type="Microsoft.Windows.DNSServer.2016.Zone"]/ZoneName$</Value>
<WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">