How to Configure Windows Machine to Allow File Sharing with DNS Alias
Posted by Mandeep Singh, Last modified by Mandeep Singh on 24 February 2016 11:00 AM
To facilitate failover schemes, a common technique is to use DNS CNAME records (DNS Aliases) for different machine roles. Then instead of changing the Windows computername of the actual machine name, one can switch a DNS record to point to a new host.
This can work on Microsoft Windows machines, but to make it work with file sharing the following configuration steps need to be taken.
1. The Problem
On Windows machines, file sharing can work via the computer name, with or without full qualification, or by the IP Address. By default, however, filesharing will not work with arbitrary DNS aliases. To enable filesharing and other Windows services to work with DNS aliases, you must make registry changes as detailed below and reboot the machine.
2. The Solution
Allowing other machines to use filesharing via the DNS Alias (DisableStrictNameChecking)
This change alone will allow other machines on the network to connect to the machine using any arbitrary hostname. (However this change will not allow a machine to connect to itself via a hostname, see BackConnectionHostNames below).
Allowing server machine to use filesharing with itself via the DNS Alias (BackConnectionHostNames)
This change is necessary for a DNS alias to work with filesharing from a machine to find itself. This creates the Local Security Authority host names that can be referenced in an NTLM authentication request.
To do this, follow these steps for all the nodes on the client computer:
Providing browse capabilities for multiple NetBIOS names (OptionalNames)
Allows ability to see the network alias in the network browse list.
Register the Kerberos service principal names (SPNs) for other Windows functions like Printing (setspn)
NOTE: Should not need to do this for basic functions to work, documented here for completeness. We had one situation in which the DNS alias was not working because there was an old SPN record interfering, so if other steps aren't working check if there are any stray SPN records.
You must register the Kerberos service principal names (SPNs), the host name, and the fully-qualified domain name (FQDN) for all the new DNS alias (CNAME) records. If you do not do this, a Kerberos ticket request for a DNS alias (CNAME) record may fail and return the error code
To view the Kerberos SPNs for the new DNS alias records, use the Setspn command-line tool (
How to use the tool to list all records for a computername:
To register the SPN for the DNS alias (CNAME) records, use the Setspn tool with the following syntax:
All the Microsoft references work via: http://support.microsoft.com/kb/