Share via

Cannot Install Printers Using CNAME Alias After Print Server Migration (0x00000709)

lalajee 1,826 Reputation points
2026-02-17T11:18:53.4866667+00:00

Hi all, I migrated a Windows Server 2012 print server (OldPrintServer) to Windows Server 2022 (NewPrintServer).

I created a CNAME (OldPrintServer) pointing to NewPrintServer. DNS resolves correctly, SPNs updated, BackConnectionHostNames configured, old server renamed and services stopped.

  • I can browse \\OldPrintServer\ and see all queues
  • sc \\OldPrintServer query spooler works
  • Installing directly from \\NewPrintServer\PrinterName works
  • Installing from \\OldPrintServer\PrinterName fails with 0x00000709
  • Even a new test printer using Microsoft Print to PDF fails
Windows for business | Windows Client for IT Pros | User experience | Print, fax, and scan
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Henry Mai 7,815 Reputation points Independent Advisor
    2026-02-17T12:58:30.1966667+00:00

    Hello lalajee, I am Henry and I want to help you with this issue

    The root cause is a combination of traditional CNAME requirements and the mandatory security hardening introduced to fix the "PrintNightmare" vulnerability (CVE-2021-34527).

    While the server-side settings you've configured allow the server to listen on the alias, the security updates now require a higher level of RPC authentication from the client. When using a CNAME, this process can fail.

    Here are the complete steps for server-side configuration. Please verify every step is complete. A reboot is recommended after all changes are made.

    1. Service Principal Names (SPNs): Kerberos will fail without these. All commands are taken from the section Register the Kerberos service principal names (SPNs)
      • Command: setspn -A HOST/OldPrintServer NewPrintServer
      • Command: setspn -A HOST/OldPrintServer.yourdomain.com NewPrintServer
      • Verification: setspn -L NewPrintServer
    2. DisableStrictNameChecking: Allows the server to accept connections for names other than its own.
      • Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
      • Value: DisableStrictNameChecking
      • Type: REG_DWORD
      • Data: 1
    3. BackConnectionHostNames: (Alternative to DisableStrictNameChecking but often used together). Explicitly tells the server which aliases to accept.
      • Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
      • Value: BackConnectionHostNames
      • Type: REG_MULTI_SZ
      • Data: OldPrintServer and OldPrintServer.yourdomain.com (each on a new line).
    4. DnsOnWire: Forces the spooler to use DNS for name resolution.
      • Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print
      • Value: DnsOnWire
      • Type: REG_DWORD
      • Data: 1

    For the configuration steps at 2 and 4, you can refer to the public document Unable to connect to a printer using a CNAME record

    I hope this information and these keywords help point you in the right direction for your research. Let me know how it goes, and if this answer helps, feel free to hit “Accept Answer” so others can benefit too

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.