What could be the possible problems with accessing a Windows file server shares using a DNS CNAME instead of the actual computer name? The file server is joined to an Active Directory domain, but is not a Domain Controller.
E.g. let's assume there is a file server with computer name SERVER1 joined to Active Directory domain branch.company.com. And there is a DNS CNAME record files.company.com that points to server1.branch.company.com.
What could be the potential problems when connecting to \\files.company.com\sharename ?
Things currently known to me (but no yet verified):
- Need to add the alias name to
HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SrvAllowedServerNames REG_MULTI_SZ registry value, if the "Microsoft network server: Server SPN target name validation level" Group Policy setting is not Off (HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SmbServerNameHardeningLevel registry value if not 0).
- Need to add the alias name to
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\BackConnectionHostNames REG_MULTI_SZ registry value (for the connections to the alias name from the server itself to work).
- SPN might need to be added in Active Directory using a command like
setspn -A host/files.company.com SERVER1 (I am not sure whether/when this is needed and whether authentication will be downgraded from Kerberos to NTLM without this).
