Results 1 to 2 of 2

Thread: How to Configure Windows Machine to Allow File Sharing with DNS Alias

  1. #1
    Michael Guest

    How to Configure Windows Machine to Allow File Sharing with DNS Alias

    I haven't seen one article that brings together all the settings one
    would need to do to make this work properly on Windows, so I thought I
    would post it here.

    To facilitate failover schemes, a common technique is to use DNS CNAME
    records (DNS Aliases) for different machine roles. Then instead of
    changing the Windows computername of the actual machine name, one can
    switch a DNS record to point to a new host.

    This can work on Microsoft Windows machines, but to make it work with
    file sharing the following configuration steps need to be taken.

    == Outline ==

    1. The Problem
    2. The Solution
    * Allowing other machines to use filesharing via the DNS
    Alias (DisableStrictNameChecking)
    * Allowing server machine to use filesharing with itself via
    the DNS Alias (BackConnectionHostNames)
    * Providing browse capabilities for multiple NetBIOS names
    (OptionalNames)
    * Register the Kerberos service principal names (SPNs) for
    other Windows functions like Printing (setspn)
    3. References

    == The Problem ==

    On Windows machines, file sharing can work via the computer name, with
    or without full qualification, or by the IP Address. By default,
    however, filesharing will not work with arbitrary DNS aliases. To
    enable filesharing and other Windows services to work with DNS
    aliases, you must make registry changes as detailed below and reboot
    the machine.

    == The Solution ==


    === Allowing other machines to use filesharing via the DNS Alias
    (DisableStrictNameChecking) ===

    This change alone will allow other machines on the network to connect
    to the machine using any arbitrary hostname. (However this change will
    not allow a machine to connect to itself via a hostname, see
    BackConnectionHostNames below).

    * Edit the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
    \Services\lanmanserver\parameters and add a value
    DisableStrictNameChecking of type DWORD set to 1.


    === Allowing server machine to use filesharing with itself via the DNS
    Alias (BackConnectionHostNames) ===

    This change is necessary for a DNS alias to work with filesharing from
    a machine to find itself. This creates the Local Security Authority
    host names that can be referenced in an NTLM authentication request.

    To do this, follow these steps for all the nodes on the client
    computer:

    1. To the registry subkey HKEY_LOCAL_MACHINE\SYSTEM
    \CurrentControlSet\Control\Lsa\MSV1_0, add new Multi-String Value
    BackConnectionHostNames
    2. In the Value data box, type the CNAME or the DNS alias, that is
    used for the local shares on the computer, and then click OK.
    * Note: Type each host name on a separate line.

    === Providing browse capabilities for multiple NetBIOS names
    (OptionalNames) ===

    Allows ability to see the network alias in the network browse list.

    1. Edit the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
    \Services\lanmanserver\parameters and add a value OptionalNames of
    type Multi-String
    2. Add in a newline delimited list of names that should be
    registered under the NetBIOS browse entries
    * Names should match NetBIOS conventions (i.e. not FQDN,
    just hostname)

    === Register the Kerberos service principal names (SPNs) for other
    Windows functions like Printing (setspn) ===

    NOTE: Should not need to do this for basic functions to work,
    documented here for completeness. We had one situation in which the
    DNS alias was not working because there was an old SPN record
    interfering, so if other steps aren't working check if there are any
    stray SPN records.

    You must register the Kerberos service principal names (SPNs), the
    host name, and the fully-qualified domain name (FQDN) for all the new
    DNS alias (CNAME) records. If you do not do this, a Kerberos ticket
    request for a DNS alias (CNAME) record may fail and return the error
    code KDC_ERR_S_SPRINCIPAL_UNKNOWN.

    To view the Kerberos SPNs for the new DNS alias records, use the
    Setspn command-line tool (setspn.exe). The Setspn tool is included in
    Windows Server 2003 Support Tools. You can install Windows Server 2003
    Support Tools from the Support\Tools folder of the Windows Server 2003
    startup disk.

    How to use the tool to list all records for a computername:

    setspn -L computername

    To register the SPN for the DNS alias (CNAME) records, use the Setspn
    tool with the following syntax:

    setspn -A host/your_ALIAS_name computername
    setspn -A host/your_ALIAS_name.company.com computername

    === References ===

    All the Microsoft references work via:

    1. Connecting to SMB share on a Windows 2000-based computer or a
    Windows Server 2003-based computer may not work with an alias name
    * Covers the basics of making file sharing work properly
    with DNS alias records from other computers to the server computer.
    * http://support.microsoft.com/kb/281308
    2. Error message when you try to access a server locally by using
    its FQDN or its CNAME alias after you install Windows Server 2003
    Service Pack 1: "Access denied" or "No network provider accepted the
    given network path"
    * Covers how to make the DNS alias work with file sharing
    from the file server itself.
    * http://support.microsoft.com/kb/926642
    3. How to consolidate print servers by using DNS alias (CNAME)
    records in Windows Server 2003 and in Windows 2000 Server
    * Covers more complex scenarios in which records in Active
    Directory may need to be updated for certain services to work properly
    and for browsing for such services to work properly, how to register
    the Kerberos service principal names (SPNs).
    * http://support.microsoft.com/kb/870911
    4. Distributed File System update to support consolidation roots in
    Windows Server 2003
    * Covers even more complex scenarios with DFS (discusses
    OptionalNames).
    * http://support.microsoft.com/kb/829885

  2. #2
    Ace Fekay [Microsoft Certified Trainer] Guest

    Re: How to Configure Windows Machine to Allow File Sharing with DNS Alias

    You sure did your homework on this! Yep, by default, simply using an Alias
    doesn't work as advertised, but you took the time to research it and put
    this great post together. Once in awhile, someone posts a question about
    this, so this is good to help them out.

    If ok with you, I'm going to add this to my collection when the question
    comes up again. If you would like me to give credit, I can add your full
    name, if you like, so when I post, the author is credited.

Similar Threads

  1. Replies: 4
    Last Post: 22-02-2011, 08:12 AM
  2. File Sharing between Mac OS X and Windows PC
    By Chitrakala in forum Networking & Security
    Replies: 5
    Last Post: 06-11-2010, 10:51 PM
  3. How to configure Windows Vista functions for sharing files?
    By Alondra in forum Operating Systems
    Replies: 5
    Last Post: 23-03-2010, 12:26 AM
  4. Sharing printer on XP machine with Vista machine
    By lopa in forum Windows Vista Network
    Replies: 4
    Last Post: 23-06-2009, 08:33 PM
  5. File sharing in Windows XP
    By GaryK in forum Guides & Tutorials
    Replies: 1
    Last Post: 08-12-2008, 01:39 PM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Page generated in 1,710,817,352.52424 seconds with 16 queries