Recovering a Deleted Cluster Name Object (CNO) in a Windows Server 2008 Failover Cluster, Part 2
In the previous blog Chuck Timon had created, he explained how to recover your Cluster Name Object (CNO) using ADRESTORE.EXE. I wanted to add on to his blog showing how you can do this with the new Active Directory Recycle Bin available a Windows 2008R2 Domain Controller can provide.
First, you should become familiar with how to enable the Recycle Bin. You can go to the following blog for this information.
The AD Recycle Bin: Understanding, Implementing, Best Practices, and Troubleshooting
So let’s move on to how we can use it. As Chuck’s blog pointed out, we know the proper object by the objectGUID property. So we have a Cluster Name Object with the below as the resource properties.
PS > get-clusterresource "Cluster Name" | get-clusterparameter creatingdc,objectguid
Object Name Value
—— —– —–
Cluster Name CreatingDC \\DEMO-DC2
Cluster Name ObjectGUID a694307a94d5b14e826e3d2943…
So from looking at the above, we should go to the \\DEMO-DC2 domain controller and the objectGUID value we are going to be looking for starts 7A 30 94 A6, so we will need this for later. We have our Cluster Event showing the failure of the Cluster Name resource saying that the above is not found.
Event ID: 1207
Source: Microsoft-Windows-FailoverClustering
Description: Cluster network name resource ‘Cluster Name’ cannot be brought online. The computer object associated with the resource could not be updated in domain ‘cluster.com’ for the following reason:
Unable to get Computer Object using GUID.
The text for the associated error code is: There is no such object on the server.
So we go out to DEMO-DC2 and do not find the object. However, since we have the AD Recycle Bin enabled, we can check to see if it is there. To do this, we run the following Powershell command.
PS > Get-ADObject -filter ‘isdeleted -eq $true -and samAccountName -eq "W2K8-R2-CLUSTER"’ -includeDeletedObjects -property * | Format-List samAccountName,LastKnownParent,objectGUID
samAccountName : W2K8-R2-CLUSTER
LastKnownParent : OU=2008R2-Cluster-Servers,DC=cluster,DC=com
objectGUID : 7a3094a6-d594-4eb1-826e-3d294303acef
samAccountName : W2K8-R2-CLUSTER
LastKnownParent : CN=Computers,DC=cluster,DC=com
objectGUID : c8b15d0b-f2a4-4c85-b8f1-6b48b1350f0c
The command is basically to look in the recycle bin with the name W2K8-R2-CLUSTER and display the three parameters for me. As you can see from above, the correct object we want to restore is this one.
samAccountName : W2K8-R2-CLUSTER
LastKnownParent : OU=2008R2-Cluster-Servers,DC=cluster,DC=com
objectGUID : 7a3094a6-d594-4eb1-826e-3d294303acef
So to restore to object, the command would be:
PS > Restore-ADObject –identity 7a3094a6-d594-4eb1-826e-3d294303acef
What this is going to do is restore the W2K8-R2-CLUSTER object back into the 2008R2-Cluster-Servers OU where it originally came from and it is enabled. The other thing that is sweet about this is that it also still holds the object permissions and the computer password (as long as restored before expiration).
When using ADRESTORE.EXE, you had to do additional steps with permissions, disabling, etc. Now, since all object attributes were still maintained, all you would need to do is simply bring it online.
PS > start-clusterresource "Cluster Name"
Name State Group ResourceType
—- —– —– ————
Cluster Name Online Cluster Group Network Name
Going further, you can do the same things with a Virtual Name Object (VCO). One of the steps using the previous method was to also ensure you manually add the CNO as rights under the properties of the VCO. With this method, it is preserved. So it is simply a matter of restoring the object and bringing it online.
If you ask anyone from our Directory Services Team, they are going to recommend enabling the AD Recycle Bin. From a Cluster perspective and going through the above, it is a cleaner method to restore that object and bring it back online in the Cluster, so I would recommend it also.
One last thing before I go. Now that we have restored the object, let’s prevent it from accidentally being deleted again. To do this, bring up the properties of the AD Object and check the box.