Sunday, February 22, 2009

Access Denied Using Multiple Server Names (OptionalNames)

Bulletin: 022109

Software Effected:
ServerMigrator - multiple server name feature

Using the multiple name feature (OptionalNames) in ServerMigrator to assign both the old and new server name to the target server, the new server name and the old server name are both reachable by ping, DNS is working correctly and the old server has been shut down however access is denied.
When clients try to connect to a share using the old server name. Access is denied. Logon Failure: target account name is incorrect.
The following error appears in the event viewer when accessing the old server UNC name:

The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/OldServerName/domainName. This indicates that the password used to encrypt the Kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm and the client realm. Please contact your system administrator.

For Windows 2003 or newer servers, for the OptionalNames value to work correctly edit or add the following Registry entry.

for DNS aliasing to work.

The final solution to this issue was finally resolved thanks to our client, Ken Jackson at Malco Products Inc., ( in Barberton, Ohio.
After using ServerMigrator to add additional names to a server, change the DNS setting of the old server to point to the new server IP address and verify that the registry settings are correct, Manually remove the old server name from the domain using the Active Directory User and Computers MMC. Once deleted, add the old server name to Active Directory again and reboot the server with the two names.

Once again our thanks go to Ken Jackson for his efforts in resolving this issue.