Using Computer Name Aliases in place of DNS CNAME Records

Hi everyone. Graeme Bray here with an article around using Computer Name Aliases instead of DNS CName records.  In the past, we used to set the registry key DisableStrictNameChecking to be able to add a DNS alias to connect via a name (such as fileserver.contoso.com).  Starting with Windows Server 2008, we added functionality to be able to create a computer alias.

What benefits does using computer aliases provide?

  • Automatic SPN management for Kerberos authentication.
  • No DNS access required
  • Automatic DNS entry updates for DNS A Records.
  • Eliminate the need and risk of editing the registry for “DisableStrictNameChecking” and “OptionalNames” keys

What benefits does using a DNS CName provide?

  • Aliases pointing to a computer name, not an IP address

To create a computer name alias, it’s a very simple process. You need to run as an elevated Powershell (or command prompt) window. Enter the command as below, and you’re done.

Command:

Netdom computername <COMPUTER> /add:<ALIAS>

Example:

Netdom computername IIS01 /add:webapp.surface.graemebray.com

This adds the DNS entry appropriately. To confirm, do one of the two following steps:

1a. Open DNS and look for your entry (sort by name or IP address)

1b. Query for the machine and entries you submitted via PowerShell.

This will allow you to securely access SMB shares.  It’ll register the DNS A record, register additional SPNs, and add OptionalNames registry key.  It’ll save you from modifying SPNs manually and no CNAME mess.

Verify ComputerName Aliases

The most important part to confirm is after we have finished all of this work. We know the DNS entry exists, but how can we confirm the computer object contains all of the appropriate aliases? If we stick with my IIS01 machine, we can run: netdom computername iis01 /enum

This will output a list of all computer names associated with this object.

Verify Service Principal Names

The most important reason to do all of this work is to have all of the Kerberos magic done for you. This can also be verified once the above sets of steps are completed.

If you run setspn -l <computer> you can see the list of all SPN records created.

Remove Computer Alias

The ability to remove the alias is just as easy. Swap “add” for “remove”, and you’re good to go.

Netdom computername <COMPUTER> /remove:<ALIAS>

Troubleshooting:

Below are some troubleshooting tips if you run into errors when trying to create a computername alias.

Problem #1:

“The specified domain either does not exist or could not be contacted.”

Solution:

Make sure you have connection to the domain controller. In my example, I didn’t have an IP address.

Problem #2:

“Access is denied”

Solution:

The user ID must have Write permissions to msDS-AdditionalDnsHostName on the object within Active Directory. You can see the modification attempt via the packet capture data below.

Problem #3:

“The system cannot open the device or file specified.”

Solution:

This computer name alias already belongs to another machine. Be careful with this issue, at time of this writing, on Server 2012 R2, the computer name alias will show up on the second machine you run it on.

Additional Reading:

Here are the pertinent Technet links/articles, as always:

Netdom Computername: https://technet.microsoft.com/library/cc835082(v=ws.11).aspx

SetSPN: https://technet.microsoft.com/library/cc731241(v=ws.11).aspx