After you’ve signed a zone you would expect Windows to give you the DS records/trust anchors straight away, right? Sadly not. It is, however, very easy to get Windows to give you the DS records so you can complete your DNSSEC implementation. To do this you need; a PowerShell or PowerShell ISE window (I prefer ISE), a shared folder with the correct permissions set up so Windows can export everything for you into a file, and a text editor (Notepad++, for example).
Just open up a PowerShell/PowerShell ISE window and copy the following command in (and replace the bits in bold with your details):
Export-DnsServerDnsSecPublicKey -ComputerName "COMPUTER NAME" -ZoneName "ZONE.NAME" -Path "\\SHARED\FOLDER\PATH" -PassThru -DigestType "Sha256"
e.g;
Export-DnsServerDnsSecPublicKey -ComputerName "NS1" -ZoneName "imjon.me.uk" -Path "\\NS1\DNS" -PassThru -DigestType "Sha256"
Then just head to the shared folder location you specified and you’ll find that Windows has exported the DS records into a neat little file.