IMPORTANT ANNOUNCEMENT FOR OUR READERS!
AskPFEPlat is in the process of a transformation to the new Core Infrastructure and Security TechCommunity, and will be moving by the end of March 2019 to our new home at https://aka.ms/CISTechComm (hosted at https://techcommunity.microsoft.com). Please bear with us while we are still under construction!
We will continue bringing you the same great content, from the same great contributors, on our new platform. Until then, you can access our new content on either https://aka.ms/askpfeplat as you do today, or at our new site https://aka.ms/CISTechComm. Please feel free to update your bookmarks accordingly!
Why are we doing this? Simple really; we are looking to expand our team internally in order to provide you even more great content, as well as take on a more proactive role in the future with our readers (more to come on that later)! Since our team encompasses many more roles than Premier Field Engineers these days, we felt it was also time we reflected that initial expansion.
If you have never visited the TechCommunity site, it can be found at https://techcommunity.microsoft.com. On the TechCommunity site, you will find numerous technical communities across many topics, which include discussion areas, along with blog content.
NOTE: In addition to the AskPFEPlat-to-Core Infrastructure and Security transformation, Premier Field Engineers from all technology areas will be working together to expand the TechCommunity site even further, joining together in the technology agnostic Premier Field Engineering TechCommunity (along with Core Infrastructure and Security), which can be found at https://aka.ms/PFETechComm!
As always, thank you for continuing to read the Core Infrastructure and Security (AskPFEPlat) blog, and we look forward to providing you more great content well into the future!
Hi everyone. Graeme Bray here with an article around using Computer Name Aliases instead of DNS CName records. In the past, we used to set the registry key DisableStrictNameChecking to be able to add a DNS alias to connect via a name (such as fileserver.contoso.com). Starting with Windows Server 2008, we added functionality to be able to create a computer alias.
What benefits does using computer aliases provide?
- Automatic SPN management for Kerberos authentication.
- No DNS access required
- Automatic DNS entry updates for DNS A Records.
- Eliminate the need and risk of editing the registry for “DisableStrictNameChecking” and “OptionalNames” keys
What benefits does using a DNS CName provide?
- Aliases pointing to a computer name, not an IP address
To create a computer name alias, it’s a very simple process. You need to run as an elevated Powershell (or command prompt) window. Enter the command as below, and you’re done.
Netdom computername <COMPUTER> /add:<ALIAS>
Netdom computername IIS01 /add:webapp.surface.graemebray.com
This adds the DNS entry appropriately. To confirm, do one of the two following steps:
1a. Open DNS and look for your entry (sort by name or IP address)
1b. Query for the machine and entries you submitted via PowerShell.
This will allow you to securely access SMB shares. It’ll register the DNS A record, register additional SPNs, and add OptionalNames registry key. It’ll save you from modifying SPNs manually and no CNAME mess.
Verify ComputerName Aliases
The most important part to confirm is after we have finished all of this work. We know the DNS entry exists, but how can we confirm the computer object contains all of the appropriate aliases? If we stick with my IIS01 machine, we can run: netdom computername iis01 /enum
This will output a list of all computer names associated with this object.
Verify Service Principal Names
The most important reason to do all of this work is to have all of the Kerberos magic done for you. This can also be verified once the above sets of steps are completed.
If you run setspn -l <computer> you can see the list of all SPN records created.
Remove Computer Alias
The ability to remove the alias is just as easy. Swap “add” for “remove”, and you’re good to go.
Netdom computername <COMPUTER> /remove:<ALIAS>
Below are some troubleshooting tips if you run into errors when trying to create a computername alias.
“The specified domain either does not exist or could not be contacted.”
Make sure you have connection to the domain controller. In my example, I didn’t have an IP address.
“Access is denied”
The user ID must have Write permissions to msDS-AdditionalDnsHostName on the object within Active Directory. You can see the modification attempt via the packet capture data below.
“The system cannot open the device or file specified.”
This computer name alias already belongs to another machine. Be careful with this issue, at time of this writing, on Server 2012 R2, the computer name alias will show up on the second machine you run it on.
Here are the pertinent Technet links/articles, as always:
Netdom Computername: https://technet.microsoft.com/library/cc835082(v=ws.11).aspx