Marc Lognoul's IT Infrastructure Blog

Cloudy with a Chance of On-Prem

Windows Server: Multiple Names for a File and Print Server Running Windows Server 2008 R2

This post was inspired by this one by Jose Barreto  (MSFT).

When migrating a server to new hardware, newer Windows Server Version or restructuring your files and print service infrastructure, performing the switch with limiting user impact is a primary goal. This is most of times achieved this is re-using the server’s original name to make user point to the new one. This post discusses the 2 main directions for doing it with Windows Server 2008 R2 and their implications.

1) (Re)Configuring Name Resolution Mechanism(s)

This method is the simplest: all you have to do is (depending upon your infrastructure):

  • Adding a DNS CNAME Record that makes point your old server name to the A record of the new one
  • Optionally, if you use WINS too, you may have to add a static entry for the old server’s name pointing to the new server’s IP address

While this is pretty straightforward, the name change will not be taken into by the following underlying Windows mechanisms:

Authentication

Kerberos authentication is solely based on names (server names, service names and so on). Since the Kerberos name databases (Active directory in the Windows world) is not informed about the the fact that the old server’s names is now associated to the new server. On 99% of system, the problem will not reach the surface because Windows will silently fall back to NTLM. Anyway, if you want to maintain a correct Kerberos configuration, you will have to register the appropriate Service Principal Names (SPNs): using tools such as SETSPN or simply the ADUC Console (thanks to the attribute editor), the following SPNs must be added to the server’s computer account MYDOMNEWSERVER$:

  • CIFS/OLDSERVER
  • CIFS/OLDSERVER.mydom.local

While you may think fall back to NTLM is not a big issue, take into account that NTLM is set to disappear from Windows’ future: Seven/2008 R2 both come with security options preventing its use. It’s off by default though.

CIFS/SMB Strict Name Checking

The protocol responsible for File & Print Sharing (CIFS or SMB) includes a security mechanism that will, by default, refuse to serve requests if the target server name is the not server’s actual one. To disable this feature, you’ll have to modify the LanManServer service configuration, see http://support.microsoft.com/kb/281308 for the details

Finally, you have also be affected by human mistakes such as DNS or WINS admins regularly cleaning up records and considering the CNAME or static entries as stale… Only a good configuration management could prevent this

2) Configuring Alternate Names Using the NETDOM Command

NETDOM Command offers a “Swiss army knife” solution to all the issues above while keeping the security as high as it can be. Example:

NETDOM COMPUTERNAME NEWSERVERNAME /ADD OLDSERVERNAME.mydom.local

Then reboot the system. See reasons below.

This simple command will perform the following, all at once:

Configuring the local computer to register it’s new alternate names in DNS Server and/or WINS Server

This configuration is stored locally in the registry under HKLMSYSTEMCurrentControlSetservicesDnscacheParameters, with the entry “AlternateComputerNames”, not present by default. See http://technet.microsoft.com/en-us/library/dd197418(WS.10).aspx for details.

This entry seems to appear only after the system has rebooted.

Registering the necessary Service Principal Names in the computer’s AD account.

In this case, all services actually running on the server will be registered with the alternate name. There is therefore not room granularity as there is with manual registration!

Of course, performing this action implies that the user account executing the command is granted the AD Validated Right on Service Principal Names, which is the case for a domain admin, for example. See http://technet.microsoft.com/en-us/library/cc728117(WS.10).aspx#BKMK_ValidatedWrites for details.

Reconfigure LanManServer service to support its additional name(s)

NOT by disabling Strict Name Checking but by making use of a new feature names “Optional Names”. See it’s registry entry “OptionalNames” right under “HKLMSYSTEMCurrentControlSetservicesLanmanServerParameters” key, not present by default.

This entry seems to appear only after the system has rebooted.

About Scalability

Up to my knowledge, the limit to the number of alternate names is registry’s MULTI_SZ data type data and AD’s ServicePrincipalName attribute (1024 entries per computer object AFAIK), which leaves plenty of room for multiple consolidation or migrations.

Retrieving the Current Configuration

To list all alternate names, simply use this command:

NETDOM COMPUTERNAME NEWSERVERNAME /ENUM

Note: the command will lists the computer’s primary name as well.

Compatibility

The NETDOM method also works if the computer runs Windows Seven

While It also works if the server is a domain controller, it will not if you want to perform this operation on a cluster resource group. In this case, you will have to use the cluster specific method (cluster admin console, configuration of resources, SPN and DNS registration…)

Finally, since Printer Sharing uses the same protocol, it works on print servers too.

Conclusions

Although the NETDOM methods has 2 disadvantages: 1) it seems to require a reboot 2) It registers SPNs for all hosted services, which may sometimes be too much and appear to be a waste at AD attribute level, it clearly wins over the manual name registration and its subsequent manual reconfigurations

Marc

Advertisements

Author: Marc Lognoul

Relentless cloud professional. Restless rider. Happy husband. Proud father. Opinions are my own.

Comments are closed.