Sign in with
Sign up | Sign in
Your question

Expert advice on special case of server dns alias with cifs

Last response: in Windows 2000/NT
Share
April 5, 2012 3:22:02 AM

The servers are all windows server 2003. The situation is we are moving a collection of servers from one datacenter to another, but need to keep a truckload of homegrown software intact on these servers and functioning while changing the server names, but keeping the both servers active until the cutover.
No clients access the servers, its just the servers need to be able to self-references each other

So for example, there is the old server named server1.domain.ad in datacetner 1, that we have cloned to a new server named server2.domain.ad in datacenter 2. The new server has been sysprepped, etc and works fine

The trick is I need server2.domain.ad in datacenter 2 to be able to refer to itself by unc path as server1.domain.ad...while leaving the original server1.domain.ad in datacenter 1 still functioning until the formal cutover.

Here is what I have done so far

Setup the hosts file on server2.domain.ad with both abbreviated and fqdn entries. Ping works fine
I setup the DisableStrictNameChecking, disabled loopback authentication, setup OptionalNames, and setup BackConnectionNames, setup MSV1_0, and disabled "requiresecuritysignature", etc. I have also disabled LMhosts lookup, removed the wins server entries and disabled netbios over TCP/IP

For the sake of simplicity I am only talking about a pair of servers, but this actually needs to be done for about 40 servers (80 total as the 40 in datacenter 2 will replace the 40 in datacenter 1)

However, I still cannot do \\server1 on server2 without getting this dialog box.

\\server1 is not accessible. You might not have permission to use this network resource. Etc
Logon Failure: The target account name is incorrect

Then if I look in the system eventlog I see this Kerberos error: (EventID 4)
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/server2.domain.ad. The target name used was cifs/server1. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (DOMAIN.AD), and the client realm. Please contact your system administrator.

Lastly, I found that if I merely added a bogus server name (like server0.domain.ad) mapping to the server2 IP in server2's host file, it totally works...just not server1.domain.ad

It seems like either AD is seeing the active server1 in datacenter1 and blocking this from working or server1 is somehow interfering with server2 referring to itself as server1

It seems like this should work since the reference is entirely self contained on server2

Any advice would be greatly appreciated. We do not have the original developers anymore to reconfigure the new servers so we have to make this work using aliases/tricks/whatever...just need both servers to be active at the same time until formal cutover

Appreciate any help

Thanks
M

April 6, 2012 5:42:50 PM

There is not much difficulty in having a server think it's another name with IP resolution. But, in the AD security you can't fake it. Can you use IPs instead of names?
September 18, 2012 4:17:45 PM

Hello mannyo,
I came accross this post, because I am experiencing absolutely same problem. Its been a while ago you posted this, have you found any solution to this problem ? I tried lots of stuff found on google but nothing really helped me.

Thank you for answer in advance

Robert
!