There are a couple of native mode scenarios that require PKI certificates with more than one server name in the certificate, which is when you need to specify a Subject Alternative Name (SAN) value when you're using Certificate Services with Windows Server 2003 or Windows Server 2008:
Network load balancing (NLB) management points and software update points.
Internet-based site systems that need to specify intranet and Internet server names - for example, a management point that accepts connections from clients on the Internet and on the intranet.
Until recently, we've been directing customers to KB 931351
How to add a Subject Alternative Name to a secure LDAP certificate
as the best documentation to help you deploy certificates with more than one name in the certificate. However, this KB was written for domain controllers so that they could support secure LDAP, and using Windows Server 2003 CA with SAN attributes. We've been working with the Certificate Services documentation team and passing on your feedback that this document didn't include Windows Server 2008 CA or the Certificate Enrollment wizard, and the instructions to specify the FQDN of a domain controller were confusing (not relevant for Configuration Manager scenarios). Additionally, this document didn't explain how SAN extensions could be used as a safer alternative to SAN attributes, and it didn't include any security best practices for production environments (such as the risk of impersonation when enabling SAN attributes, and the recommendation to use manual approval and the separation of duties with role-based administration).
This new documentation addresses all these things and includes a script (MakeSanExt.vbs) to request certificates with a base64-encoded SAN extension.