How To Create Dns Alias In Windows Server 2012

Contents

• 1 Introduction
  • 1.1 What benefits does using computer aliases provide?
  • 1.2 What benefits does using a DNS CName provide?
• 2 How To Step by Step
  • 2.1 Verify ComputerName Aliases
  • 2.2 Verify Service Principal Names
  • 2.3 Remove Computer Alias
• 3 Troubleshooting
  • 3.1 The specified domain either does not exist or could not be contacted.
    • 3.1.1 Solution
  • 3.2 Access is denied
    • 3.2.1 Solution
  • 3.3 The system cannot open the device or file specified.
    • 3.3.1 Solution

Hi everyone. Graeme Bray here with an article around using Computer Name Aliases instead of DNS CName records.

Introduction

In the past, we used to set the registry key DisableStrictNameChecking to be able to add a DNS alias to connect via a name (such as fileserver.contoso.com).  Starting with Windows Server 2008, we added functionality to be able to create a computer alias.

What benefits does using computer aliases provide?

• Automatic SPN management for Kerberos authentication.
• No DNS access required
• Automatic DNS entry updates for DNS A Records.
• Eliminate the need and risk of editing the registry for "DisableStrictNameChecking" and "OptionalNames" keys

What benefits does using a DNS CName provide?

• Aliases pointing to a computer name, not an IP address

How To Step by Step

To create a computer name alias, it's a very simple process. You need to run as an elevated Powershell (or command prompt) window. Enter the command as below, and you're done.

Command:Netdom computername <COMPUTER> /add:<ALIAS>

Example:

Netdom computername IIS01 /add : webapp . surface . graemebray . com

This adds the DNS entry appropriately. To confirm, do one of the two following steps:

1a. Open DNS and look for your entry (sort by name or IP address)

1b. Query for the machine and entries you submitted via PowerShell.

This will allow you to securely access SMB shares.  It'll register the DNS A record, register additional SPNs, and add OptionalNames registry key.  It'll save you from modifying SPNs manually and no CNAME mess.

Verify ComputerName Aliases

The most important part to confirm is after we have finished all of this work. We know the DNS entry exists, but how can we confirm the computer object contains all of the appropriate aliases? If we stick with my IIS01 machine, we can run: netdom computername iis01 /enum

This will output a list of all computer names associated with this object.

Verify Service Principal Names

The most important reason to do all of this work is to have all of the Kerberos magic done for you. This can also be verified once the above sets of steps are completed.

If you run setspn -l <computer> you can see the list of all SPN records created.

Remove Computer Alias

The ability to remove the alias is just as easy. Swap "add" for "remove", and you're good to go.

Netdom computername < COMPUTER > /remove : < ALIAS >

Troubleshooting

Below are some troubleshooting tips if you run into errors when trying to create a computername alias.

The specified domain either does not exist or could not be contacted.

Solution

Make sure you have connection to the domain controller. In my example, I didn't have an IP address.

Access is denied

Solution

The user ID must have Write permissions to msDS-AdditionalDnsHostName on the object within Active Directory. You can see the modification attempt via the packet capture data below.

The system cannot open the device or file specified.

Solution

This computer name alias already belongs to another machine. Be careful with this issue, at time of this writing, on Server 2012 R2, the computer name alias will show up on the second machine you run it on.

Additional Reading

Here are the pertinent Technet links/articles, as always:

• Netdom Computername
• SetSPN

How To Create Dns Alias In Windows Server 2012

Source: https://argonsys.com/microsoft-cloud/library/using-computer-name-aliases-in-place-of-dns-cname-records/

Posted by: hernandezsuccans.blogspot.com

Share this post