One of the responsibilities of cluster Network Name resource is to rotate the password of the computer object in Active Directory associated with it. When the Network Name resource is online, it will rotate the password according to domain and local machine policy (which is 30 days by default).
If the password is different from what is stored in the cluster database, the cluster service will be unable to logon to the computer object and the Network Name will fail to come online. This may also cause issues such as Kerberos errors, failure to register in a secure DNS zone, and live migration to fail.
The Repair Active Directory Object option is a recovery tool to re-synchronize the password for cluster computer objects. It can be found in Failover Cluster Manager (CluAdmin.msc) by right-clicking on the Network Name, selecting More Actions…, and then clicking Repair Active Directory Object.
Cluster Name Object (CNO) - The CNO is the computer object associated with the Cluster Name resource. When using Repair on the Cluster Name, it will use the credentials of the currently logged on user and reset the computer objects password. To run Repair, you must have the "Reset Password" permissions to the CNO computer object.
Virtual Computer Object (VCO) - The CNO is responsible for managing the passwords on all other computer objects (VCO's) for other cluster network names in the cluster. If the password for a VCO falls out of sync, the CNO will reset the password and self-heal automatically. Therefore it is not needed to run Repair to reset the password for a VCO. In Windows Server 2012 a Repair action was added for all other cluster Network Names, and is a little bit different. Repair will check to see if the associated computer object exists in Active Directory. If the VCO had been accidentally deleted, then using Repair will re-create the computer object if it is missing. The recommended process to recover deleted computer objects is with the AD Recycle Bin feature, using Repair to re-create computer objects when they have been deleted should be a last resort recovery action. This is because some applications store attributes in the computer object (namely MSMQ), and recreating a new computer object will break the application. Repair is a safe action to perform on any SQL Server, or File Server deployment. The CNO must have "Create Computer Objects" permissions on the OU in which it resides to recreate the VCO's.
To run Repair, the Network Name resource must be in a "Failed" or "Offline" state. Otherwise the option will be grayed out.
Repair is only available through the Failover Cluster Manager snap-in, there is no Powershell cmdlet available to script the action.
If you are running Windows Server 2012 and find that you are having to repeatedly run Repair every ~30 days, ensure you have hotfix KB2838043 installed.
Matt Kurjanowicz Senior Software Development Engineer Clustering & High-Availability Microsoft