Understanding the Repair Active Directory Object Recovery Action

Published 03-15-2019 02:39 PM 11.6K Views

First published on MSDN on Dec 13, 2013


One of the responsibilities of cluster Network Name resource is to rotate the password of the computer object in Active Directory associated with it.  When the Network Name resource is online, it will rotate the password according to domain and local machine policy (which is 30 days by default).


If the password is different from what is stored in the cluster database, the cluster service will be unable to logon to the computer object and the Network Name will fail to come online.  This may also cause issues such as Kerberos errors, failure to register in a secure DNS zone, and live migration to fail.

The Repair Active Directory Object option is a recovery tool to re-synchronize the password for cluster computer objects.  It can be found in Failover Cluster Manager (CluAdmin.msc) by right-clicking on the Network Name, selecting More Actions…, and then clicking Repair Active Directory Object.


    • Cluster Name Object (CNO) - The CNO is the computer object associated with the Cluster Name resource.  When using Repair on the Cluster Name, it will use the credentials of the currently logged on user and reset the computer objects password.  To run Repair, you must have the "Reset Password" permissions to the CNO computer object.
    • Virtual Computer Object (VCO) - The CNO is responsible for managing the passwords on all other computer objects (VCO's) for other cluster network names in the cluster.  If the password for a VCO falls out of sync, the CNO will reset the password and self-heal automatically.  Therefore it is not needed to run Repair to reset the password for a VCO.  In Windows Server 2012 a Repair action was added for all other cluster Network Names, and is a little bit different.  Repair will check to see if the associated computer object exists in Active Directory.  If the VCO had been accidentally deleted, then using Repair will re-create the computer object if it is missing.  The recommended process to recover deleted computer objects is with the AD Recycle Bin feature, using Repair to re-create computer objects when they have been deleted should be a last resort recovery action.  This is because some applications store attributes in the computer object (namely MSMQ), and recreating a new computer object will break the application.  Repair is a safe action to perform on any SQL Server, or File Server deployment.  The CNO must have "Create Computer Objects" permissions on the OU in which it resides to recreate the VCO's.



To run Repair, the Network Name resource must be in a "Failed" or "Offline" state.   Otherwise the option will be grayed out.

Repair is only available through the Failover Cluster Manager snap-in, there is no Powershell cmdlet available to script the action.


If you are running Windows Server 2012 and find that you are having to repeatedly run Repair every ~30 days, ensure you have hotfix KB2838043 installed.


Matt Kurjanowicz
Senior Software Development Engineer
Clustering & High-Availability



Regular Visitor

Hi John - any way to query the password date in the cluster database?  I have 2 node 2016 cluster that is alerting with 1196 DNS bad key.




Unfortunately no, there is not a way.  The password date is a part of the crypto checkpoint key of the network name.


Regular Visitor

Thanks John for replying to my question.

Occasional Visitor



@John Marlin : On the newer versions of Windows (2016/2019), is there a way to do a CNO repair from power-shell / command line ?






Unfortunately no. At this time, the Cluster Manager UX is the only method to accomplish this.

Occasional Visitor

Thanks John, hopefully it will make it a new version / update :)


Found out that there is an API for managing the cluster that can be used for this (clusapi.dll).
It's not 1 line though :) - my code reached ~400...
Am posting here some instructions for those who are looking for smth like this.


First you have to create the computer account in the AD and set it's typical CNO properties (SPNs, DSNHostName, msDS-SupportedEncryptionTypes, KerberosEncryptionType, compoundIdentitySupported and why not, Description). Generate a new password and set it for the CNO.
Then retrieve the ObjectGuid of the new CNO from AD.
Use New/Set/Get-AdComputer and Set-ADAccountPassword for all these.
Set this ObjectGuid in the registry for the Cluster Name resource on all nodes (HKLM:\Cluster\Resources\...).


Then comes the fun part. Use Add-Type to import the dll and expose the API functions.
From clusapi.dll you'll need to use:
- OpenCluster
- OpenClusterNode
- OpenClusterResource
- ClusterResourceControl (with the CLUSCTL_RESOURCE_NETNAME_SET_PWD_INFO control code).
You also need to use some additional APIs for creating and handling the memory structure (a byte array) required as input for ClusterResourceControl (containing the guid and password - if you sum up the specs from documentation is a 568 byte array, but you need 680 for the function call, just fill the rest with 0s).
From kernel32.dll and msvcrt.dll use these:
- VirtualAlloc
- memset
- VirtualFree
Before calling ClusterResourceControl set the resource for the cluster name offline and bring it back online after.


Then do some additional cleanup / setup like granting CNO permissions on VCO and on it's DNS record.


If I missed something from the process, I'll appreciate your input.


Here are the useful links for all these:



Version history
Last update:
‎Aug 07 2019 11:52 AM
Updated by: