Source:
Allowing other machines to use filesharing via the DNS Alias (DisableStrictNameChecking)
This change alone will allow other machines on the network to connect to the machine using any arbitrary hostname. (However this change will not allow a machine to connect to itself via a hostname, see BackConnectionHostNames below).
-
Edit the registry key
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceslanmanserverparameters
and add a valueDisableStrictNameChecking
of type DWORD set to 1. -
Edit the registry key (on 2008 R2)
HKLMSYSTEMCurrentControlSetControlPrint
and add a valueDnsOnWire
of type DWORD set to 1
Allowing server machine to use filesharing with itself via the DNS Alias (BackConnectionHostNames)
This change is necessary for a DNS alias to work with filesharing from a machine to find itself. This creates the Local Security Authority host names that can be referenced in an NTLM authentication request.
To do this, follow these steps for all the nodes on the client computer:
- To the registry subkey
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaMSV1_0
, add new Multi-String ValueBackConnectionHostNames
- In the Value data box, type the CNAME or the DNS alias, that is used for the local shares on the computer, and then click OK.
- Note: Type each host name on a separate line.
Providing browse capabilities for multiple NetBIOS names (OptionalNames)
Allows ability to see the network alias in the network browse list.
- Edit the registry key
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceslanmanserverparameters
and add a valueOptionalNames
of type Multi-String - Add in a newline delimited list of names that should be registered under the NetBIOS browse entries
- Names should match NetBIOS conventions (i.e. not FQDN, just hostname)
Register the Kerberos service principal names (SPNs) for other Windows functions like Printing (setspn)
NOTE: Should not need to do this for basic functions to work, documented here for completeness. We had one situation in which the DNS alias was not working because there was an old SPN record interfering, so if other steps aren't working check if there are any stray SPN records.
You must register the Kerberos service principal names (SPNs), the host name, and the fully-qualified domain name (FQDN) for all the new DNS alias (CNAME) records. If you do not do this, a Kerberos ticket request for a DNS alias (CNAME) record may fail and return the error code KDC_ERR_S_SPRINCIPAL_UNKNOWN
.
To view the Kerberos SPNs for the new DNS alias records, use the Setspn command-line tool (setspn.exe
). The Setspn tool is included in Windows Server 2003 Support Tools. You can install Windows Server 2003 Support Tools from the SupportTools folder of the Windows Server 2003 startup disk.
How to use the tool to list all records for a computername:
setspn -L computername
To register the SPN for the DNS alias (CNAME) records, use the Setspn tool with the following syntax:
setspn -A host/your_ALIAS_name computername
setspn -A host/your_ALIAS_name.company.com computername
Source:
P.S. For Windows 2012, one more step:
1. Go to HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Control / Lsa
2. Create REG_DWORD with name DisableLoopbackCheck and value 1
Source: