Part of my FIM installation requirements is that the FIM portal will be installed on 2 servers and load balenced.
I'm trying to find out if there is an issue using a CNAME instead of an "A" Record when creating a friendly URL name for FIM? Our consultant has stated that we need to have one friendly name like "myidentity" and one that belongs to the host
I question the suggestion that we create two "A" records for a single IP address, as long as there aren't two PTRs associated with friendly name.
My DNS team states that they can't do this. Any advice would be appreciated?
Are you planning to use Windows NLB? or a hardware LB?
Is the DNS Windows based? Like on a DC + AD Integrated?
Kerberos authentication works better with A records in my opinion. The problem with CNAME records is that they resolve in an other way. And this makes most Kerberos clients request a ticket not the orginial record, but the one that's defined in the CNAME.
Like: myidentity -> servername -> Kerberos asks for "HTTP\servername" ticket
Like: myidentity -> 192.168.1.1 -> Kerberos asks for "HTTP\myidentity" ticket
So with a CNAME you have to understand very well on which accounts to register your SPNs.
I myself don't see how creating an additional A record involves issues with a PTR record. Or this is registered by the client/server, or you leave the checkbox off when you create an A record yourself.
If you are using Windows NLB, it might be eassier to disable DNS registration all toghether on the NLBd network interface.
Either way, there are several answers to your question...
Microsoft is conducting an online survey to understand your opinion of the Technet Web site. If you choose to participate, the online survey will be presented to you when you leave the Technet Web site.