We want to use DNS aliases (CNAME) to access "all" resources within a Active
Directory domain. This works well when accessing resources on remote
machines. When accessing the same resource, using the DNS alias, locally from
the machine sharing the resource we get errors. To try to solve this we have
done the following:
- Added the LanmanServer registry entry DisableStrictNameChecking 1. This
made it possible to access resources on remote computers using alias names.
- Added file shares as standalone DFS roots. This made it possible to access
local fileshare resources using alias name, but not for accessing things like
remote process listing (IPC$) via alias
- Running NETDOM COMPUTERNAME localhost /ADD alias.fqdn. This solved all
problems, including accessing process status locally via alias, on the first
server with the resource.
The problem we have now is when we try to add an alias with the same name,
but in a different Active Directory site and in a different DNS subdomain,
the name is not registered. Netdom returns error 87. We need to do this to be
able to let the clients access the resource which is local in the site using
the same alias without reconfiguring them. I.e. the client receives a domain
suffix via DHCP which is "site.domain". The client is configured to look up
the service "alias". This means that the client asks DNS to translate
"alias.site.domain". If the client is moved to another site it will get
another DNS suffix with that sites DNS domain and DNS will translate the DNS
alias to the correct local server. We can NOT use normal DNS "site
loadsharing" or DFS fault tolerant roots, since it is not allowed to access
resources in other sites under any circumstances if not manually configured
to do so.
Example Server1 in site 1:
netdom computername localhost /add sqlsrv.site1.fmv.se <successful>
Example Server1 in site 2:
netdom computername localhost /add sqlsrv.site2.fmv.se <fails>
netdom computername localhost /add otheralias.site2.fmv.se <successful>
We then tried to add the "duplicate" aliases using SETSPN -A cifs/alias
hostname etc., added DNS CNAME records manually and added the alias name to
the LanmanServer registrykey OptionalNames. This registered the names without
any obvous errors. After a reboot LsaSrv logs the following error to the
eventlog.
The security system detected an authentication error for server
cifs/alias.fqdn. The failure code from authentication protocol Kerberos was
"The specified user does not exists (0x0000064)"
The only thing we have found differing between a alias that works after
"netdom computername /add", and a manually added entry is that the attributes
msDs-alternativeDnsName and does not contain the alias$ names. It is also not
possible to update these attributes using adsiedit.
All servers are Windows 2003 Enterprise Edition SP1 domain controllers
running in the same Active Directory Domain (in 2003 domain and forest mode).
Each DC is in its own AD site with IP sitelinks in between.
So the question is, how can we solve the problem. Is there any other way to
accomplish what we are after? Would disabling NetBIOS help? Is it possble to
turn off security in a way so that I trust that the DNS response is correct
and connect with username and password no matter what what the server is
named.
Regards
// Roger
|
Similar Threads
Linear Mode
