82

What process is necessary to configure a Windows environment to allow me to use DNS CNAME to reference servers?

I want to do this so that I can name my servers something like SRV001, but still have \\file point to that server, so when SRV002 replaces it I don't have to update any of the links people have, just update the DNS CNAME and everyone will get pointed to the new server.

Peter Mortensen
  • 2,319
  • 5
  • 23
  • 24
Michael Ferrante
  • 1,631
  • 1
  • 13
  • 10
  • For the record, we use windows filesharing with DNA aliases against both 2003 and 2008 servers daily in my organization without needing to have made any of these changes. It just works. – Ryan Bolger Jun 11 '09 at 22:57
  • It should also be noted that the text in KB926642 warns that, "The security is reduced when you disable the authentication loopback check, and you open the Windows Server 2003 server for man-in-the-middle (MITM) attacks on NTLM." – Ryan Bolger Jun 11 '09 at 23:30
  • Thank you Michael. This answered my "How do I enable Windows XP's Windows Explorer to accept CNAME aliases in the address bar?" question posted here (http://serverfault.com/questions/238851/how-do-i-enable-windows-xps-windows-explorer-to-accept-cname-aliases-in-the-addr). – Jason Pearce Feb 22 '11 at 21:27
  • Thank you very much!!! This worked on a Server 2008 R2 with XP Pro clients trying to connect to the file share. I had a 10 year old HP server (Server 2000) die on me so i bulit a VM server, restored the files to it, and recreated the shares. XP Pro clients could not connect with variuos errors, but i applied the above regedit, rebooted, and it all works, thanks again. –  Jul 27 '11 at 22:02
  • We use this technique as documented [warm standby](http://serverfault.com/questions/8714/warm-standby-with-windows-server-2003). You did a much better job documenting it than I did. I didn't know about the backConnection option. And we reduce our attack space by not using netBIOS. We're not using the SPN either. Thanks! – Knox Jun 11 '09 at 02:37

2 Answers2

69

To facilitate failover schemes, a common technique is to use DNS CNAME records (DNS Aliases) for different machine roles. Then instead of changing the Windows computername of the actual machine name, one can switch a DNS record to point to a new host.

This can work on Microsoft Windows machines, but to make it work with file sharing the following configuration steps need to be taken.

Outline

  1. The Problem
  2. The Solution
    • Allowing other machines to use filesharing via the DNS Alias (DisableStrictNameChecking)
    • Allowing server machine to use filesharing with itself via the DNS Alias (BackConnectionHostNames)
    • Providing browse capabilities for multiple NetBIOS names (OptionalNames)
    • Register the Kerberos service principal names (SPNs) for other Windows functions like Printing (setspn)
  3. References

1. The Problem

On Windows machines, file sharing can work via the computer name, with or without full qualification, or by the IP Address. By default, however, filesharing will not work with arbitrary DNS aliases. To enable filesharing and other Windows services to work with DNS aliases, you must make registry changes as detailed below and reboot the machine.

2. The Solution

Allowing other machines to use filesharing via the DNS Alias (DisableStrictNameChecking)

This change alone will allow other machines on the network to connect to the machine using any arbitrary hostname. (However this change will not allow a machine to connect to itself via a hostname, see BackConnectionHostNames below).

  • Edit the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters and add a value DisableStrictNameChecking of type DWORD set to 1.

  • Edit the registry key (on 2008 R2) HKLM\SYSTEM\CurrentControlSet\Control\Print and add a value DnsOnWire of type DWORD set to 1

Allowing server machine to use filesharing with itself via the DNS Alias (BackConnectionHostNames)

This change is necessary for a DNS alias to work with filesharing from a machine to find itself. This creates the Local Security Authority host names that can be referenced in an NTLM authentication request.

To do this, follow these steps for all the nodes on the client computer:

  1. To the registry subkey HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0, add new Multi-String Value BackConnectionHostNames
  2. In the Value data box, type the CNAME or the DNS alias, that is used for the local shares on the computer, and then click OK.
    • Note: Type each host name on a separate line.

Providing browse capabilities for multiple NetBIOS names (OptionalNames)

Allows ability to see the network alias in the network browse list.

  1. Edit the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters and add a value OptionalNames of type Multi-String
  2. Add in a newline delimited list of names that should be registered under the NetBIOS browse entries
    • Names should match NetBIOS conventions (i.e. not FQDN, just hostname)

Register the Kerberos service principal names (SPNs) for other Windows functions like Printing (setspn)

NOTE: Should not need to do this for basic functions to work, documented here for completeness. We had one situation in which the DNS alias was not working because there was an old SPN record interfering, so if other steps aren't working check if there are any stray SPN records.

You must register the Kerberos service principal names (SPNs), the host name, and the fully-qualified domain name (FQDN) for all the new DNS alias (CNAME) records. If you do not do this, a Kerberos ticket request for a DNS alias (CNAME) record may fail and return the error code KDC_ERR_S_SPRINCIPAL_UNKNOWN.

To view the Kerberos SPNs for the new DNS alias records, use the Setspn command-line tool (setspn.exe). The Setspn tool is included in Windows Server 2003 Support Tools. You can install Windows Server 2003 Support Tools from the Support\Tools folder of the Windows Server 2003 startup disk.

How to use the tool to list all records for a computername:

setspn -L computername

To register the SPN for the DNS alias (CNAME) records, use the Setspn tool with the following syntax:

setspn -A host/your_ALIAS_name computername
setspn -A host/your_ALIAS_name.company.com computername

3. References

All the Microsoft references work via: http://support.microsoft.com/kb/

  1. Connecting to SMB share on a Windows 2000-based computer or a Windows Server 2003-based computer may not work with an alias name
    • Covers the basics of making file sharing work properly with DNS alias records from other computers to the server computer.
    • KB281308
  2. Error message when you try to access a server locally by using its FQDN or its CNAME alias after you install Windows Server 2003 Service Pack 1: "Access denied" or "No network provider accepted the given network path"
    • Covers how to make the DNS alias work with file sharing from the file server itself.
    • KB926642
  3. How to consolidate print servers by using DNS alias (CNAME) records in Windows Server 2003 and in Windows 2000 Server
    • Covers more complex scenarios in which records in Active Directory may need to be updated for certain services to work properly and for browsing for such services to work properly, how to register the Kerberos service principal names (SPNs).
    • KB870911
  4. Distributed File System update to support consolidation roots in Windows Server 2003
    • Covers even more complex scenarios with DFS (discusses OptionalNames).
    • KB829885
Joel Coel
  • 12,910
  • 13
  • 61
  • 99
Michael Ferrante
  • 1,631
  • 1
  • 13
  • 10
  • Another item for printing to work under Windows Server 2008R2/Win7 is documented at http://support.microsoft.com/kb/979602. You need to disable a DNS optimization they added to support printing to an aliased machine by adding a DWORD value named "DnsOnWire" to HKLM\SYSTEM\CurrentControlSet\Control\Print and set it to 1. Then restart the Print Spooler service. – nitzmahone Jun 01 '12 at 17:40
  • Source for my edit: http://serverfault.com/q/396598/2869 – Joel Coel Jun 07 '12 at 19:44
11

The other way to do Windows file-sharing with redundancy is to use Distributed File System with Replication (DFS-R). You will need at least Windows Server 2003 R2 on your file servers in order to implement this.

You set up your DFS root, and then can specify multiple servers providing a single share. If one of the servers goes down, the clients using it will automatically fail over to one of the others.

For more information see Microsoft's overview of DFS.

Peter Mortensen
  • 2,319
  • 5
  • 23
  • 24
Joe
  • 1,535
  • 1
  • 10
  • 15