-1

What could be the possible problems with accessing a Windows file server shares using a DNS CNAME instead of the actual computer name? The file server is joined to an Active Directory domain, but is not a Domain Controller.

E.g. let's assume there is a file server with computer name SERVER1 joined to Active Directory domain branch.company.com. And there is a DNS CNAME record files.company.com that points to server1.branch.company.com. What could be the potential problems when connecting to \\files.company.com\sharename ?

Things currently known to me (but no yet verified):

  1. Need to add the alias name to HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SrvAllowedServerNames REG_MULTI_SZ registry value, if the "Microsoft network server: Server SPN target name validation level" Group Policy setting is not Off (HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SmbServerNameHardeningLevel registry value if not 0).
  2. Need to add the alias name to HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\BackConnectionHostNames REG_MULTI_SZ registry value (for the connections to the alias name from the server itself to work).
  3. SPN might need to be added in Active Directory using a command like setspn -A host/files.company.com SERVER1 (I am not sure whether/when this is needed and whether authentication will be downgraded from Kerberos to NTLM without this).
DavisNT
  • 334
  • 1
  • 4
  • 12

1 Answers1

0

Well one possible problem may be multiple DNS servers in your environment, and that the current client, will get the dns information from the correct server.
Windows client settings

Carsten.R
  • 1
  • 2