We have been using CNAMEs for a huge number of NetApp NAS CIFS servers and quite a few other Windows servers, mainly for the same reason, which is that the original file server or sometimes app server was replaced.
We generally don't run into any issues with the exception of when a machine, as opposed to a user, is trying to access resources. In that case, apparently only Kerberos can be used without disablestrictnamechecking. For example, when you set up a backup to a file share which runs under the System account, or a Group Policy software installation, and try to use the CNAME of the remote server. The GPSI will fail and the backup will fail, even if you're certain that the machine has the proper access to the file share. So from our experience, you would only need disablestrictnamechecking in those instances. We have never had to do this because in those instances we just use the real server name. The aliases are only needed by the users. We had one exception where a huge number of GPSIs were pointing to a NAS which was replaced. We requested that the new NAS be named the same as the one it was replacing. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Ken Schaefer Sent: Wednesday, July 02, 2014 9:12 PM To: [email protected] Subject: RE: [NTSysADM] File server question Would be required if you went CNAME and wanted Kerberos. NTLM would work without setting any SPNs. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Kurt Buff Sent: Thursday, 3 July 2014 9:46 AM To: [email protected] Subject: Re: [NTSysADM] File server question Looks like SetSPN is mixed in there, too. Doesn't look like brain surgery, though. Thanks. Kurt On Wed, Jul 2, 2014 at 4:33 PM, Michael B. Smith <[email protected]> wrote: > It still applies, but it may not always work. > > http://www.marc-lognoul.me/itblog-en/windows-the-confusion-over-disableloopbackcheck-disablestrictnamechecking-and-kerberos/ > > I think the above is a decent coverage of the topic. > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Kurt Buff > Sent: Wednesday, July 2, 2014 7:26 PM > To: [email protected] > Subject: [NTSysADM] File server question > > All, > > We're going to be replacing our current 2003 server with a 2012 R2 VM. > > As is usual in these things, there are lots of links and embedded > references to the old file server name, and we want to start to move away > from it. > > I'd like to stand up a CNAME for the old server pointing to the new > server, and everything I've been reading suggests that I need to put up > the disablestrictnamechecking regentry on the new machine. > > I seem to recall something indicating that this isn't necessary for > 2012 R2, but can't find reference to it, and I'm wondering if my memory is > clouded by something else. > > Do I need disablestrictnamechecking or not? > > Kurt > >
