Errors and symptoms ^Strict name checking affects every server platform since Windows Server 2000. You may receive a few different error messages that can help you determine if strict name checking is actually causing your issues. The first and most obvious problem will be that you can’t connect to the CNAME alias for things such as file services. You will be able to ping and even RDP into the machine; after all, you only need the IP address to perform these functions. Other error messages may include:
- Access Denied
- System error 52 has occurred. A duplicate name exists on the network.
- No network provider accepted the given network path.
How to disable strict name checking ^The process of disabling strict name checking and allowing the server to respond using a different name is fairly straightforward. However, to get things working 100 percent, several steps must be performed. Add the CNAME record to your DNS server First, you will need to create a CNAME record with the alias of the server you would like to respond to the name. For example, if the new server name is SRVFILES02 and you want the server to also respond using the old computer name FILESERVER, you will need to create a CNAME record that points FILESERVER to SRVFILES02. Enable Local security authority for NTLM authentication requests The next step we need to take is to add the host names so they can respond to NTLM authentication requests. To accomplish this, do the following:
- Navigate to HKLM\SYSTEM\CurrentControlSet\Control\Lsa.
- Under Lsa, add New->DWORD.
- Name the new entry “DisableLoopbackCheck” and set the value to 1.
- Go to HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0.
- Right-click MSV1_0 and select New->Multi-String Value.
- Type “BackConnectionHostNames” as the name and press Enter.
- Right-click the newly created entry and select Modify.
- Add the alias and FQDN to the entry, one per line, and click OK.
- Open a command prompt with administrative privileges.
- Type “setspn -A host/<old_server_name> <new_server_name>” and press Enter.
- Navigate to HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters.
- Right-click Parameters and select New->Multi-String Value.
- Name the new entry “OptionalNames.”
- Add only the alias name, not the FQDN, to the new entry and click OK.
- In your registry editor, go to HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters.
- Right-click and add the DWORD entry “DisableStrictNameChecking” and set the value to 1.
- Right-click again and add the DWORD entry “DnsOnWire” with a value of 1.
- Restart the server.
Automated PowerShell script ^To quickly accomplish this task, I have put together a small PowerShell script that will perform all of the actions above. Change the “<old_host_name>” parameter to the alias name you would like to use, and then just copy and paste it into a PowerShell prompt running with admin privileges.
$altNames = @("<old_host_name>","<old_host_name>.domain.local") $hostName = hostname New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name DisableLoopbackCheck -PropertyType DWord -Value 1 New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 -Name BackConnectionHostNames -PropertyType MultiString -Value $altNames New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters -Name OptionalNames -PropertyType MultiString -Value $altNames New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters -Name DisableStrictNameChecking -PropertyType DWord -Value 1 New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters -Name DnsOnWire -PropertyType DWord -Value 1 setspn -A host/$altNames $hostnameAfter a reboot, your new server will respond as the server it replaced.