Unfortunately, this security enhancement can cause issues when replacing servers during an upgrade or a disaster recovery situation. For one, it can cause old shortcuts to break and SQL server instances to become unresponsive. It’s not enough to just create a CNAME on your DNS server. You must disable strict name checking to allow the server to respond using a different name.
Errors and symptoms ^
Strict name checking affects every server platform since Windows Server 2000. You may receive a few different error messages that can help you determine if strict name checking is actually causing your issues.
The first and most obvious problem will be that you can’t connect to the CNAME alias for things such as file services. You will be able to ping and even RDP into the machine; after all, you only need the IP address to perform these functions.
Other error messages may include:
- Access Denied
- System error 52 has occurred. A duplicate name exists on the network.
- No network provider accepted the given network path.
How to disable strict name checking ^
The process of disabling strict name checking and allowing the server to respond using a different name is fairly straightforward. However, to get things working 100 percent, several steps must be performed.
Add the CNAME record to your DNS server
First, you will need to create a CNAME record with the alias of the server you would like to respond to the name. For example, if the new server name is SRVFILES02 and you want the server to also respond using the old computer name FILESERVER, you will need to create a CNAME record that points FILESERVER to SRVFILES02.
Enable Local security authority for NTLM authentication requests
The next step we need to take is to add the host names so they can respond to NTLM authentication requests. To accomplish this, do the following:
- Navigate to HKLM\SYSTEM\CurrentControlSet\Control\Lsa.
- Under Lsa, add New->DWORD.
- Name the new entry “DisableLoopbackCheck” and set the value to 1.
- Go to HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0.
- Right-click MSV1_0 and select New->Multi-String Value.
- Type “BackConnectionHostNames” as the name and press Enter.
- Right-click the newly created entry and select Modify.
- Add the alias and FQDN to the entry, one per line, and click OK.
Add the alias and FQDN, one per line, in BackConnectionHostNames.
Note: If the registry key already exists, delete it and re-create it as outlined above.
Add the SPN records for Kerberos authentication
Just as we allowed NTLM authentication for the new alias, we will also need to add the SPN records. Do the following:
- Open a command prompt with administrative privileges.
- Type “setspn -A host/<old_server_name> <new_server_name>” and press Enter.
setspn -A command
Provide browsing capabilities for multiple NetBIOS names
Now, we must add another registry entry to allow NetBIOS browsing of the alias name, as follows:
- Navigate to HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters.
- Right-click Parameters and select New->Multi-String Value.
- Name the new entry “OptionalNames.”
- Add only the alias name, not the FQDN, to the new entry and click OK.
OptionalNames registry dialog box
Disable strict name checking
Finally, we will move on to the last step and the most important piece of this puzzle: disabling strict name checking. Do the following:
- In your registry editor, go to HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters.
- Right-click and add the DWORD entry “DisableStrictNameChecking” and set the value to 1.
- Right-click again and add the DWORD entry “DnsOnWire” with a value of 1.
- Restart the server.
DisableStrictNameChecking and DnsOnWire registry entries
Automated PowerShell script ^
To quickly accomplish this task, I have put together a small PowerShell script that will perform all of the actions above. Change the “<old_host_name>” parameter to the alias name you would like to use, and then just copy and paste it into a PowerShell prompt running with admin privileges.
$altNames = @("<old_host_name>","<old_host_name>.domain.local") $hostName = hostname New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name DisableLoopbackCheck -PropertyType DWord -Value 1 New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 -Name BackConnectionHostNames -PropertyType MultiString -Value $altNames New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters -Name OptionalNames -PropertyType MultiString -Value $altNames New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters -Name DisableStrictNameChecking -PropertyType DWord -Value 1 New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters -Name DnsOnWire -PropertyType DWord -Value 1 setspn -A host/$altNames $hostname
After a reboot, your new server will respond as the server it replaced.
Being able to have a new server respond using the name of the old one it replaced is invaluable in today’s ever-changing landscape. Doing so affords us, as administrators, more time to update shortcuts and services and slows the onslaught of user issues resulting from the upgrade. Armed with this information and the short script, you can easily replace your old servers without the headaches that come with changing server names.