How to recover a deleted computer object that supports a Network Name resource in a Windows Server 2008 failover cluster

How to recover a deleted computer object that supports a Network Name resource in a Windows Server 2008 failover cluster

Article ID : 950805
Last Review : April 21, 2008
Revision : 1.0

INTRODUCTION

This article describes how to recover a deleted computer object that supports a Network Name resource in a Windows Server 2008 failover cluster.

Back to the top

MORE INFORMATION

By default, the new security model in Windows Server 2008 Failover Clustering includes Kerberos authentication. To create this security model, every Client Access Point (CAP) that is created in a Windows Server 2008 failover cluster contains a Network Name resource. The Network Name resource has a corresponding Computer Account that is created in the Active Directory directory service when the resource is online for the first time.

By default, the Computer Account is created in the Computers container. However, the Computer Account can be relocated to another organizational unit (OU). The Computer Account can also be pre-staged in an OU before the CAP is created. If these Computer Accounts are deleted from Active Directory, high availability will be adversely affected.

The computer accounts that are created in Active Directory represent the Network Name resources in a failover cluster. These accounts have the following distinct types:

• The computer account that represents the name of the cluster is called the Cluster Name Object (CNO). This account is the primary security context for a cluster.
• Other computer accounts that belong to Network Name resources in the same cluster are called Virtual Computer Objects (VCO). These accounts are created by the CNO.

If either of these accounts is deleted from Active Directory, the next time that the Network Name tries to go online, the Network Name fails, and the following error message is logged in the system event log:

Event ID: 1207
Event Level: Error
Event Source: FailoverClustering
Event ID: 1207
Description: Cluster network name resource ResourceName cannot be brought online. The computer object associated with the resource could not be updated in domain DomainName for the following reason:

The text for the associated error code is: There is no such object on the server.

The cluster identity CNO$Name may lack permissions required to update the object. Please work with your domain administrator to ensure the cluster identity can update computer objects in the domain.

However, problems will occur even before the Network Name resource is cycled offline and online. For example, a user or a highly available application may be unable to access resources when a security token representing the cluster computer object in Active Directory cannot be obtained.

It is different to recover from the deletion of a computer object that is associated with a cluster Network Name resource for a CNO and for a VCO.

To recover a deleted computer object that corresponds to the CNO, follow these steps:

1. Coordinate with a domain administrator to first recover the deleted computer object from the Deleted Objects container in Active Directory.
2. Verify that the Computer Object has been restored to the correct location, and then enable the account.
3. Force domain replication to occur, or wait for the configured replication interval.
4. In the Failover Cluster Management Microsoft Management Console (MMC) snap-in, right-click the failed Network Name that corresponds to the cluster name, point to More actions, and then click Repair Active Directory Object.

Note The user who follows these steps in the Failover Cluster Management MMC snap-in must also have the Reset Passwords user right in the domain.

To recover a deleted computer object that corresponds to a VCO, follow these steps:

1. Coordinate with a domain administrator to first recover the deleted computer object from the Deleted Objects container in Active Directory.
2. Verify that the computer object has been restored to the correct location, and then enable the account.
3. View the security settings for the computer object, and verify that the CNO still has permissions to the object.
4. Force domain replication, or wait for the configured replication interval.
5. In the Failover Cluster Management MMC snap-in, right-click the failed Network Name resource, and then click Bring this resource online.

If a deleted computer object no longer exists in the Deleted Objects container, an Active Directory authoritative restore action must be executed by using a system state backup that contains the deleted object or objects.

Back to the top

REFERENCES

947049 (/Feedback.aspx?kbNumber=947049/) Description of the failover cluster security model in Windows Server 2008

For more information, visit the following Microsoft Web sites:

Event ID 1207 — Active Directory permissions for cluster accounts
http://technet2.microsoft.com/windowsserver2008/en/library/4dbabb5d-24f7-445f-b57e-1bb3b4a6d1831033.mspx (http://technet2.microsoft.com/windowsserver2008/en/library/4dbabb5d-24f7-445f-b57e-1bb3b4a6d1831033.mspx)

Active Directory backup and restore
http://technet.microsoft.com/en-us/library/bb727048.aspx (http://technet.microsoft.com/en-us/library/bb727048.aspx)

Back to the top


APPLIES TO
• Windows Server 2008 Datacenter without Hyper-V
• Windows Server 2008 Enterprise without Hyper-V
• Windows Server 2008 for Itanium-Based Systems
• Windows Server 2008 Datacenter
• Windows Server 2008 Enterprise

Back to the top

Keywords: 
kbhowto kbinfo KB950805

Back to the top

 

Microsoft Knowledge Base Article

This article contents is Microsoft Copyrighted material.
Microsoft Corporation. All rights reserved. Terms of Use | Trademarks


You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

AddThis Social Bookmark Button

Leave a Reply

*
To prove that you're not a bot, enter this code
Anti-Spam Image