Disable strict name checking with PowerShell

Strict name checking is a security measure implemented by Microsoft to only allow a server to respond to its proper computer name. In this post, you will learn how you can disable strict name checking and how you can automate the task with PowerShell.
Latest posts by Andrew Jacops (see all)

Unfortunately, this security enhancement can cause issues when replacing servers during an upgrade or a disaster recovery situation. For one, it can cause old shortcuts to break and SQL server instances to become unresponsive. It’s not enough to just create a CNAME on your DNS server. You must disable strict name checking to allow the server to respond using a different name.

Errors and symptoms ^

Strict name checking affects every server platform since Windows Server 2000. You may receive a few different error messages that can help you determine if strict name checking is actually causing your issues.

The first and most obvious problem will be that you can’t connect to the CNAME alias for things such as file services. You will be able to ping and even RDP into the machine; after all, you only need the IP address to perform these functions.

Other error messages may include:

  • Access Denied
  • System error 52 has occurred. A duplicate name exists on the network.
  • No network provider accepted the given network path.

How to disable strict name checking ^

The process of disabling strict name checking and allowing the server to respond using a different name is fairly straightforward. However, to get things working 100 percent, several steps must be performed.

Add the CNAME record to your DNS server

First, you will need to create a CNAME record with the alias of the server you would like to respond to the name. For example, if the new server name is SRVFILES02 and you want the server to also respond using the old computer name FILESERVER, you will need to create a CNAME record that points FILESERVER to SRVFILES02.

Enable Local security authority for NTLM authentication requests

The next step we need to take is to add the host names so they can respond to NTLM authentication requests. To accomplish this, do the following:

  1. Navigate to HKLM\SYSTEM\CurrentControlSet\Control\Lsa.
  2. Under Lsa, add New->DWORD.
  3. Name the new entry “DisableLoopbackCheck” and set the value to 1.
  4. Go to HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0.
  5. Right-click MSV1_0 and select New->Multi-String Value.
  6. Type “BackConnectionHostNames” as the name and press Enter.
  7. Right-click the newly created entry and select Modify.
  8. Add the alias and FQDN to the entry, one per line, and click OK.

Add the alias and FQDN, one per line, in BackConnectionHostNames

Add the alias and FQDN, one per line, in BackConnectionHostNames.

Note: If the registry key already exists, delete it and re-create it as outlined above.

Add the SPN records for Kerberos authentication

Just as we allowed NTLM authentication for the new alias, we will also need to add the SPN records. Do the following:

  1. Open a command prompt with administrative privileges.
  2. Type “setspn -A host/<old_server_name> <new_server_name>” and press Enter.

setspn -A command

setspn -A command

Provide browsing capabilities for multiple NetBIOS names

Now, we must add another registry entry to allow NetBIOS browsing of the alias name, as follows:

  1. Navigate to HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters.
  2. Right-click Parameters and select New->Multi-String Value.
  3. Name the new entry “OptionalNames.”
  4. Add only the alias name, not the FQDN, to the new entry and click OK.

OptionalNames registry dialog box

OptionalNames registry dialog box

Disable strict name checking

Finally, we will move on to the last step and the most important piece of this puzzle: disabling strict name checking. Do the following:

  1. In your registry editor, go to HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters.
  2. Right-click and add the DWORD entry “DisableStrictNameChecking” and set the value to 1.
  3. Right-click again and add the DWORD entry “DnsOnWire” with a value of 1.
  4. Restart the server.

DisableStrictNameChecking and DnsOnWire registry entries

DisableStrictNameChecking and DnsOnWire registry entries

Automated PowerShell script ^

To quickly accomplish this task, I have put together a small PowerShell script that will perform all of the actions above. Change the “<old_host_name>” parameter to the alias name you would like to use, and then just copy and paste it into a PowerShell prompt running with admin privileges.

After a reboot, your new server will respond as the server it replaced.

Summary ^

Being able to have a new server respond using the name of the old one it replaced is invaluable in today’s ever-changing landscape. Doing so affords us, as administrators, more time to update shortcuts and services and slows the onslaught of user issues resulting from the upgrade. Armed with this information and the short script, you can easily replace your old servers without the headaches that come with changing server names.

Join the 4sysops PowerShell group!

Your question was not answered? Ask in the forum!

0
Share
8 Comments
  1. Kenny 6 years ago

    I suppose that this approach can also be used when changing a server's name when maintaining connectivity to the old name is needed?

    0

  2. Author

    Hi Kenny,

    Yes. This will allow the server to keep responding as its old name also.

    0

  3. Nick 6 years ago

    I think the DnsonWire registry key is supposed to go under HKLM\SYSTEM\CurrentControlSet\Control\Print and not under Lanman\Parameters.

    0

  4. Author

    Hi Nick. Thanks for reading and thanks for the input! However, the DnsOnWire entry needs to be in HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters with the DisableStrictNameChecking and OptionalNames entries. This is where all of the LAN Management parameters are stored.

    0

  5. C. Smith 6 years ago

    Just wanted to say, "Thank you". Migrated an SQL server which then caused SSPI errors and this resolved the issue since the new server wasn't authenticating users correctly due to them connecting to it via the old server name.

    0

  6. Shaun Crossley 5 years ago

    According to https://support.microsoft.com/en-us/kb/979602, Nick is correct:

    reg add HKLM\SYSTEM\CurrentControlSet\Control\Print /v DnsOnWire /t REG_DWORD /d 1

    0

  7. James 4 years ago

    This article is wrong. You should be using BackConnectionHostNames or DisableLoopbackCheck, not both. If DisableLoopbackCheck is set to 1 BackConnectionHostNames is completely ignored and all hostnames are allowed to be used for loopback. Of the two, BackConnectionHostNames is the preferred method per Microsoft KB896861.

    3+

  8. Ryan 2 years ago

    Does the old computer account name have to be deleted from AD for this to work?

    2+

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account