/ Sign-up
Your question

Expert advice on special case of server dns alias with cifs

  • Domain
  • Windows Server 2003
  • Servers
  • Windows
Last response: in Windows 2000/NT
April 5, 2012 3:22:02 AM

The servers are all windows server 2003. The situation is we are moving a collection of servers from one datacenter to another, but need to keep a truckload of homegrown software intact on these servers and functioning while changing the server names, but keeping the both servers active until the cutover.
No clients access the servers, its just the servers need to be able to self-references each other

So for example, there is the old server named in datacetner 1, that we have cloned to a new server named in datacenter 2. The new server has been sysprepped, etc and works fine

The trick is I need in datacenter 2 to be able to refer to itself by unc path as leaving the original in datacenter 1 still functioning until the formal cutover.

Here is what I have done so far

Setup the hosts file on with both abbreviated and fqdn entries. Ping works fine
I setup the DisableStrictNameChecking, disabled loopback authentication, setup OptionalNames, and setup BackConnectionNames, setup MSV1_0, and disabled "requiresecuritysignature", etc. I have also disabled LMhosts lookup, removed the wins server entries and disabled netbios over TCP/IP

For the sake of simplicity I am only talking about a pair of servers, but this actually needs to be done for about 40 servers (80 total as the 40 in datacenter 2 will replace the 40 in datacenter 1)

However, I still cannot do \\server1 on server2 without getting this dialog box.

\\server1 is not accessible. You might not have permission to use this network resource. Etc
Logon Failure: The target account name is incorrect

Then if I look in the system eventlog I see this Kerberos error: (EventID 4)
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/ The target name used was cifs/server1. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (DOMAIN.AD), and the client realm. Please contact your system administrator.

Lastly, I found that if I merely added a bogus server name (like mapping to the server2 IP in server2's host file, it totally works...just not

It seems like either AD is seeing the active server1 in datacenter1 and blocking this from working or server1 is somehow interfering with server2 referring to itself as server1

It seems like this should work since the reference is entirely self contained on server2

Any advice would be greatly appreciated. We do not have the original developers anymore to reconfigure the new servers so we have to make this work using aliases/tricks/whatever...just need both servers to be active at the same time until formal cutover

Appreciate any help


More about : expert advice special case server dns alias cifs

April 6, 2012 5:42:50 PM

There is not much difficulty in having a server think it's another name with IP resolution. But, in the AD security you can't fake it. Can you use IPs instead of names?
September 18, 2012 4:17:45 PM

Hello mannyo,
I came accross this post, because I am experiencing absolutely same problem. Its been a while ago you posted this, have you found any solution to this problem ? I tried lots of stuff found on google but nothing really helped me.

Thank you for answer in advance