Blog Post

Failover Clustering
2 MIN READ

Understanding the Repair Active Directory Object Recovery Action

John Marlin's avatar
John Marlin
Iron Contributor
Mar 15, 2019
First published on MSDN on Dec 13, 2013   One of the responsibilities of cluster Network Name resource is to rotate the password of the computer object in Active Directory associated with it. ...
Updated Nov 09, 2023
Version 4.0
Active Directory
failover clustering
network name
BogdanB's avatar
BogdanB
Copper Contributor
Feb 16, 2020

Thanks John, hopefully it will make it a new version / update 🙂

 

Found out that there is an API for managing the cluster that can be used for this (clusapi.dll).
It's not 1 line though 🙂 - my code reached ~400...
Am posting here some instructions for those who are looking for smth like this.

 

First you have to create the computer account in the AD and set it's typical CNO properties (SPNs, DSNHostName, msDS-SupportedEncryptionTypes, KerberosEncryptionType, compoundIdentitySupported and why not, Description). Generate a new password and set it for the CNO.
Then retrieve the ObjectGuid of the new CNO from AD.
Use New/Set/Get-AdComputer and Set-ADAccountPassword for all these.
Set this ObjectGuid in the registry for the Cluster Name resource on all nodes (HKLM:\Cluster\Resources\...).

 

Then comes the fun part. Use Add-Type to import the dll and expose the API functions.
From clusapi.dll you'll need to use:
- OpenCluster
- OpenClusterNode
- OpenClusterResource
- ClusterResourceControl (with the CLUSCTL_RESOURCE_NETNAME_SET_PWD_INFO control code).
You also need to use some additional APIs for creating and handling the memory structure (a byte array) required as input for ClusterResourceControl (containing the guid and password - if you sum up the specs from documentation is a 568 byte array, but you need 680 for the function call, just fill the rest with 0s).
From kernel32.dll and msvcrt.dll use these:
- VirtualAlloc
- memset
- VirtualFree
Before calling ClusterResourceControl set the resource for the cluster name offline and bring it back online after.

 

Then do some additional cleanup / setup like granting CNO permissions on VCO and on it's DNS record.

 

If I missed something from the process, I'll appreciate your input.

 

Here are the useful links for all these:

https://docs.microsoft.com/en-us/windows/win32/api/clusapi/
https://docs.microsoft.com/en-us/previous-versions/windows/desktop/mscs/clusctl-resource-netname-set-pwd-info
https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-CMRP/%5BMS-CMRP%5D-190313-diff.pdf
https://www.fuzzysecurity.com/tutorials/24.html
http://www.exploit-monday.com/2012/05/accessing-native-windows-api-in.html