Alternate computernames

One of the neat little things that ahs been around for a while is that computers in a Windows network can have multiple names. This is especially convenient when dealing with lifecycle management, where clients may be configured to use fixed names. Even if you could change that manually at the client level, that could still be a lot of work.

Also if you are working in a regulated environment, changes are subject to a cumbersome change control process where the change control is more onerous than the actual change. One way to avoid all that is to work with alternate computernames.

Suppose we have a server system with the name ‘Zubvobwee’, which is end-of-life and needs replacing. Commissioning a new server -subject to the same change control processes- may not be a quick task so we cannot take the original server down for a lengthy amount of time. One solution can be to commission a new server with a new name. And when everything is ready, we take the old system offline, remove or temporarily rename it in Active Directory, and add the old name to the new server.

Note that this is a command you need to execute locally, with an account that has administrative permissions in Active Directory for the specified object.

After adding this computername, we also need to update the DNS records because that doesn’t happen automatically

Now, both names will show up in DNS

So far, so good. It’s important to understand that an alternate computer name is more than simply a DNS alias. You can find evidence of this in the object attributes in Active Directory. There is still only 1 object in AD, with the name that is the primary name of the object. Alternate names are shown in the msDS-AdditionalDnsHostName attribute.

But there is more. For example, any service principals associated with the computer are duplicated so that they are valid for each computername, not just the primary.

From an AD point of view, there are no practical differences between the names. You can use the alternate name for folder navigation, remote management via the Windows mmc or powershell, etc. However, in a hardened security configuration, things may be slightly different. I’ll write more on that later. In most cases however, things will work exactly as expected and alternate computernames can be a Godsend to help with migration scenarios.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s