It is possible you are running into a Kerberos problem, because if you just set a DNS record, the computer object does not get updated with the required SPN (Service Principal Name). While you can add the SPN manually and it will work, there is another way. First, delete the DNS alias.
The old method of adding a DNS alias and setting the DisableStrictNameChecking
registry value is not recommended anymore since it does not automatically manage SPNs. However, this new method is only supported on servers, the command will fail on clients.
When issuing the netdom computername /add:
command, all service classes (even custom ones) present at this point in time will get duplicated for the additional hostname. This is a one-time action. If at any point in the future, an SPN gets added automatically (i.e. by enabling RDP access for the first time, which adds the TERMSRV
service class), that will only add the SPN for the primary hostname, the SPNs for the additional hostnames must be added manually. So the recommendation is to fully install a server with all roles first before adding any additional hostnames.
Logon to the server for which you want to add the additional hostname, open administrative Powershell (as domain admin, or someone who can write the attributes servicePrincipalName
and msDS-AdditionalDnsHostName
)
Add the additional hostname
netdom computername SERVER /add:server.domain.com
Refresh DNS
ipconfig /registerdns
If the command fails with an error, i.e. the alias is already present somewhere in AD…
The system cannot open the device or file specified
…(only) the /enum
command will still list the additional hostname, probably because it gets written to registry immediately. So make sure to cleanup the entry with /remove
first before you try again
Note: This method causes the server to automatically register this additional hostname (called OptionalNames
in the registry) in DNS as a second A Record (not CNAME).