Please wait,
Processing your request...

    0%
  Business logo VanSoest.it
  ... | Selecteer de Nederlandse taal |
Sharing is caring
| Print this page. | Linkedin page of Johan van Soest

React: Postcard image. Click this to mail to Johan




WebHalla
 Content
  Management
   System

ICT-Hotlist Topic

DisableStrictNameChecking (as referenced in my article in SSWUG.org) (Not allowed on fileservers anymore!)

Warning: To provide increased network security of Windows and Windows Server for the modern landscape, beginning in Windows 11 Insider Preview Build 25381 (Canary, zn_release) Enterprise editions, SMB signing is now required by default for all connections. This changes legacy behavior, where Windows 10 and 11 required SMB signing by default only when connecting to shares named SYSVOL and NETLOGON and where Active Directory domain controllers required SMB signing when any client connected to them. As a result, the following CNAME enabling trick is deprecated for file servers.
Jump in this article to "Using Computer Name Aliasses" to be future proof!

Allow DNS Aliases on File Servers.

DNS Aliases (CNAME) work for most of the services on a server but Windows File services have a security feature that blocks this. This can be turned off by adding the Dword value DisableStrictNameChecking and setting it to 1 in the Windows registry at:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters
Or use the Windows Registry file below:
Windows Registry Editor Version 5.00

;*******************************************************************************
;* This registry file enables access to Windows File servers via a DNS Alias
;* (C) Copyright 2009 - 2024 J.P.G. van Soest (www.vansoest.it)
;*******************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"DisableStrictNameChecking"=dword:00000001

The server must be rebooted after applying the registry change.
Warning:This solution modifies the Windows registry. Back up the registry before you modify it. Then, you can restore the registry if a problem occurs.

Using Computer Name Aliasses

Starting with Windows Server 2008, Microsoft added functionality to be able to create a computer alias. What benefits does using computer aliases provide?
  • Automatic SPN management for Kerberos authentication
  • No DNS access required
  • Automatic DNS entry updates for DNS A Records
  • Eliminate the need and risk of editing the registry for aforementioned "DisableStrictNameChecking" and "OptionalNames" keys
Just use the command:
Netdom computername <COMPUTER> /add:<ALIAS>
Example: Adding the Alias FileServer pointing to the existing server TestServer:
Netdom computername TestServer /add:FileServer.van_soest.it

Test the Computer Name Alias

To test if the changes have been made, check your DNS tools or use the command:
netdom computername <COMPUTER> /enum
The system should report for example:
Netdom computername TestServer /enum
All of the names for the computer are:

TestServer.van_soest.it
FileServer.van_soest.it
This will allow you to securely access SMB shares. It'll register the DNS A record, register additional SPNs, and add OptionalNames registry key. It'll save you from modifying SPNs and CNAMEs manually. It can even be batched for business continuity purposes.

Remove the Computer Name Alias

To remove the Computer Name Alias use the command:
Netdom computername <COMPUTER> /remove:<ALIAS>
Warning: A Windows domain name can not contain an underscore "_" according to these standards. The underscore is used in these examples as a spam counter measure.
You may vote your opinion about this article:


Scripts and programming examples disclaimer

Unless stated otherwise, the script sources and programming examples provided are copyrighted freeware. You may modify them, as long as a reference to the original code and hyperlink to the source page is included in the modified code and documentation. However, it is not allowed to publish (copies of) scripts and programming examples on your own site, blog, vlog, or distribute them on paper or any other medium, without prior written consent.
Many of the techniques used in these scripts, including but not limited to modifying the registry or system files and settings, impose a risk of rendering the Operating System inoperable and loss of data. Make sure you have verified full backups and the associated restore software available before running any script or programming example. Use these scripts and programming examples entirely at your own risk. All liability claims against the author in relation to material or non-material losses caused by the use, misuse or non-use of the information provided, or the use of incorrect or incomplete information, are excluded. All content is subject to change and provided without obligation.
Generated by WebHalla™ Version 0.1.e.7 : Tuesday 8-10-2024 © Copyright 1995-2024 ing. Johan P.G. van Soest CIPM Certified Privacy Information Manager
Response Form    Cookie- and Privacy statement    Responsible Disclosure procedure
Weather in Waalre by OpenWeatherMap logo light rain
Temperature 14.96 °C light rain
Wind chill 14.89 °C light rain
Humidity 91 % light rain
Air pressure 998 hPa light rain
Wind speed 5.14 m/s light rain
Wind direction South South light rain
Sun Rise 7:50 Sun Rise
Sun Set 19:00 Sun Set
Updated:2024-10-08 08:43:21 light rain

Weather Cache is 7 minute(s) old.
| Current user: Guest | Login |