DetailPage-MSS-KB

Microsoft small business knowledge base

Article ID: 950805 - Last Review: September 10, 2011 - Revision: 5.0

INTRODUCTION

This article describes how to recover a deleted computer object that supports a Network Name resource in a Windows Server 2008 or Windows Server 2008 R2 failover cluster.

MORE INFORMATION

By default, the new security model in Windows Server 2008 or Windows Server 2008 R2 failover clustering includes Kerberos authentication. To create this security model, every Client Access Point (CAP) that is created in a Windows Server 2008 or Windows Server 2008 R2 failover cluster contains a Network Name resource. The Network Name resource has a corresponding Computer Account that is created in the Active Directory directory service when the resource is online for the first time.

By default, the Computer Account is created in the Computers container. However, the Computer Account can be relocated to another organizational unit (OU). The Computer Account can also be pre-staged in an OU before the CAP is created. If these Computer Accounts are deleted from Active Directory, availability of the Network Name resource will be reduced.

The computer accounts that are created in Active Directory represent the Network Name resources in a failover cluster. These accounts have the following distinct types:
  • The computer account that represents the name of the cluster is called the Cluster Name Object (CNO). This account is the primary security context for a cluster.
  • Other computer accounts that belong to Network Name resources in the same cluster are called Virtual Computer Objects (VCOs). These accounts are created by the CNO.
If either of these accounts is deleted from Active Directory, the next time that the Network Name tries to go online, the Network Name fails, and the following error message is logged in the System log:
Event ID: 1207
Event Level: Error
Event Source: FailoverClustering
Event ID: 1207
Description: Cluster network name resource ResourceName cannot be brought online. The computer object associated with the resource could not be updated in domain DomainName for the following reason:

The text for the associated error code is: There is no such object on the server.

The cluster identity CNO$Name may lack permissions required to update the object. Please work with your domain administrator to ensure the cluster identity can update computer objects in the domain.

and the following messages are logged in the cluster log:

WARN  [RES] Network Name <FSCAP01>: Trying to remove credentials for LocalSystem returned status C0000225, STATUS_NOT_FOUND is a non-critical failure for a remove operation
INFO  [RES] Network Name <FSCAP01>: Initiating the Network Name operation : 'Verifying computer object associated with network name resource FSCAP01'
INFO  [RES] Network Name <FSCAP01>: Trying to find computer account FSCAP01 object GUID(d66e09dd8857e84da1f3a26fb1903e38) on any available domain controller.
WARN  [RES] Network Name <FSCAP01>: Search for existing computer account failed. status 80072030
WARN  [RES] Network Name <FSCAP01>: Search for existing computer account failed. status 80072030
INFO  [RES] Network Name <FSCAP01>: Trying to find object d66e09dd8857e84da1f3a26fb1903e38 on a PDC.
WARN  [RES] Network Name <FSCAP01>: Search for existing computer account failed. status 80072030
INFO  [RES] Network Name <FSCAP01>: Unable to find object d66e09dd8857e84da1f3a26fb1903e38 on a PDC.
INFO  [RES] Network Name <FSCAP01>: GetComputerObjectViaGUIDEx() failed, Status 80072030.
WARN  [RES] Network Name <FSCAP01>: Trying to remove credentials for LocalSystem returned status C0000225, STATUS_NOT_FOUND is a non-critical failure for a remove operation
WARN  [RHS] Resource FSCAP01 has indicated that it cannot come online on this node.
WARN  [RCM] HandleMonitorReply: ONLINERESOURCE for 'FSCAP01', gen(8) result 5015.


Note: status 80072030 = There is no such object on the server

However, problems will occur even before the Network Name resource is cycled offline and online. For example, a user or a highly available application may be unable to access resources when a security token that represents the cluster computer object in Active Directory cannot be obtained.

To recover from the deletion of a Computer Object that is associated with a cluster Network Name resource is different for a CNO than recovering from the deletion of a Computer Object for a VCO.

To recover a deleted computer object that corresponds to the CNO, follow these steps:
  1. Coordinate with a domain administrator to first recover the deleted Computer Object from the Deleted Objects container in Active Directory.
  2. Verify that the Computer Object has been restored to the correct location, and then enable the account.
  3. Force domain replication to occur, or wait for the configured replication interval.
  4. In the Failover Cluster Management Microsoft Management Console (MMC) snap-in, right-click the failed network name that corresponds to the cluster name, point to More actions, and then click Repair Active Directory Object.
Note The user who follows these steps in the Failover Cluster Management MMC snap-in must also have the "Reset Passwords" permission in the domain.

To recover a deleted computer object that corresponds to a VCO, follow these steps:
  1. Coordinate with a domain administrator to first recover the deleted computer object from the Deleted Objects container in Active Directory.
  2. Verify that the computer object has been restored to the correct location, and then enable the account.
  3. View the security settings for the computer object, and then verify that the CNO still has permissions to the object.
  4. Force domain replication, or wait for the configured replication interval.
  5. In the Failover Cluster Management MMC snap-in, right-click the failed Network Name resource, and then click Bring this resource online.
If a deleted computer object no longer exists in the Deleted Objects container, an Active Directory authoritative restore action must be executed by using a system state backup that contains the deleted object or objects.

REFERENCES

947049  (http://support.microsoft.com/kb/947049/ ) Description of the failover cluster security model in Windows Server 2008
For more information, visit the following Microsoft Web sites:

 Recovering a Deleted Cluster Name Object (CNO) in a Windows Server 2008 Failover Cluster -
http://blogs.technet.com/b/askcore/archive/2009/04/27/recovering-a-deleted-cluster-name-object-cno-in-a-windows-server-2008-failover-cluster.aspx (http://blogs.technet.com/b/askcore/archive/2009/04/27/recovering-a-deleted-cluster-name-object-cno-in-a-windows-server-2008-failover-cluster.aspx)
Event ID 1207 — Active Directory permissions for cluster accounts
http://technet2.microsoft.com/windowsserver2008/en/library/4dbabb5d-24f7-445f-b57e-1bb3b4a6d1831033.mspx (http://technet2.microsoft.com/windowsserver2008/en/library/4dbabb5d-24f7-445f-b57e-1bb3b4a6d1831033.mspx)

Active Directory backup and restore
http://technet.microsoft.com/en-us/library/bb727048.aspx (http://technet.microsoft.com/en-us/library/bb727048.aspx)

APPLIES TO
  • Microsoft Hyper-V Server 2008 R2
  • Windows Server 2008 R2 Datacenter without Hyper-V
  • Windows Server 2008 R2 Datacenter
  • Windows Server 2008 R2 Enterprise without Hyper-V
  • Windows Server 2008 R2 Enterprise
  • Windows Server 2008 Datacenter without Hyper-V
  • Windows Server 2008 Enterprise without Hyper-V
  • Windows Server 2008 for Itanium-Based Systems
  • Windows Server 2008 Datacenter
  • Windows Server 2008 Enterprise
Keywords: 
kbclustering kbhowto kbinfo KB950805
Share
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support