Richard, That is exactly what we had to do for a migration to make Kerberos work and stay working for 3 months while the vendor upgraded some software code. Worked great.
Its primary use is for renaming domain controllers, during the process netdom will copy the old name of the server into this additionaldns field. Disabling strict name checking and using this "hack" works as well to allow Kerberos to continue to function and when the spn's are rewritten voila, they both stay.. Greg From: Richard Stovall [mailto:rich...@gmail.com] Sent: Monday, July 26, 2010 4:36 PM To: NT System Admin Issues Subject: Re: setspn persistence Your machine wouldn't happen to be a domain controller, would it? See the last 4 comments to a very interesting article. http://blogs.technet.com/b/askds/archive/2008/05/29/kerberos-authentication-problems-service-principal-name-spn-issues-part-1.aspx On Mon, Jul 26, 2010 at 3:31 PM, Phillip Partipilo <p...@psnet.com<mailto:p...@psnet.com>> wrote: I'm decommissioning some servers, and to ease the transition, since we have some old code that is hardcoded with old server names, I'm going through the motions of setting up CNAME DNS records to point any queries to the old server to the new server, set up the key in HKLM\System\CurrentControlSet\Services\lanmanserver for DisableStrictNameChecking to 0x1, set up the key in HKLM\System\CurrentControlSet\Control\Lsa for DisableLoopBackCheck to 0x1, and then finally used the setspn tool to add SPNs to the new replacement server so it will happily accept and authenticate clients that are asking for resources and generating Kerberos tickets for the old server name. Problem is that the setspn additions aren't holding as persistent... Every so often they just disappear... During this transition I don't want to make this really ugly by having a scheduled task to run a batch file every minute to add these SPNs, so is there a way to force these entries as persistent? I know this is a severe hack but I'm trying to make my job easy with this transition, I'm stretched pretty thin these days :-( Phillip Partipilo Parametric Solutions Inc. Jupiter, Florida (561) 747-6107 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
