On a Windows Server Failover Cluster for each Network Name resource there is a logical name which has a corresponding computer object (CO) created. The computer object associated with the Cluster Name this is commonly referred to as the Cluster Name Object (CNO) and for all other Network Name resources these are commonly referred to as Virtual Computer Objects (VCO). The cluster service creates and manages these CNO and VCO computer objects.
Because CNO and VCO’s are managed by the cluster, they can at times have slightly different behavior than normal computer objects. Understanding these differences can be important when trying to identify when computer objects are stale and no longer being used, so that it is safe to delete them.
If you are running a Windows Server 2008 R2 or higher Domain Functional Level for your Active Directory forest, I recommend turning on the Active Directory Recycle Bin feature (which is disabled by default). Here is the step-by-step guide . Active Directory Recycle Bin helps minimize directory service downtime by enhancing your ability to preserve and restore accidentally deleted Active Directory objects without restoring Active Directory data from backups, restarting Active Directory Domain Services (AD DS), or rebooting domain controllers. This is critical for being able to quickly and seamlessly recover from accidental computer object deletion.
There are a couple different attributes commonly used by domain administrators as hints to identify computer objects that are no longer in use and are safe to be deleted:
Given that CNO and VCO computer objects are associated with mission critical high availability systems, your domain administrators may simply choose to avoid automated / scripted deletion of cluster computer objects. This can be accomplished by querying and excluding computer objects that contain a service principal name (SPN) of “MSClusterVirtualServer” from deletion. Another technique is to move all CNO and VCO's to a custom organizational unit (OU) and exclude that OU from running CO deletion scripts.
As an extra safety mechanism you can protect CNO and VCO's from accidental deletion by simply checking the "Protect object from accidental deletion" box on the objects in the Active Directory Users and Computers snap-in. See this blog for more details
Another hint which can be used to identify stale cluster computer objects is if the computer object is in a Disabled state. By default, when a cluster Network Name resource is deleted or if a cluster is destroyed, the CNO and VCO’s are placed in a disabled state. Any cluster computer object which is in a Disabled state are no longer being used by the cluster.
When destroying a cluster, you may wish to delete the computer objects instead of leaving them in a disabled state. This can be accomplished by passing the –CleanupAD switch to the Remove-Cluster PowerShell cmdlet when destroying the cluster.
If you are reading this after you have already run a script that accidently deleted a CNO or VCO computer object, here is a blog which has a step-by-step guide on how to recover the computer objects:
If you do not have the AD Recycle Bin feature, follow this blog:
If you do have the AD Recycle Bin feature, follow this blog:
Principal PM Manager
Clustering & High-Availability
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.