Running setup.com /clearLocalCMS on a Windows 2008 cluster disables the machine accounted (VCO) associated with the CMS name.

The setup.com /clearLocalCMS is responsible for purging the clustered configuration for Exchange resources without making any changes to the active directory for the Exchange instance.  This command is commonly used to clean the cluster configuration on the source Exchange cluster prior to running setup.com /recoverCMS or to clear the clustered resources from the target Exchange cluster (for example – standby continuous replication using a single node cluster target).

The setup.com /clearLocalCMS removes the Exchange resources and if possible deletes the remaining clustered group.  If the cluster is a single copy cluster, the physical disk resources will be maintained and the Exchange CMS group renamed.

On Windows 2003, the deleting of clustered resources does not effect the status of the AD machine account object associated with the CMS name.  When the deletion is processed either programmatically or though cluster administrator, the machine account associated with the CMS remains enabled in the active directory.

On Windows 2008, the deleting of clustered resources does effect the status of the AD machine account object associated with the CMS name (machine account = VCO or Virtual Computer Object).  When the deletion is processed either programmatically or through failover cluster management, the VCO associated with the CMS becomes disabled in the active directory.

When there is not a CMS online utilizing this machine account this is generally not an issue.  There are times though when a CMS is online and servicing clients, and setup.com /clearLocalCMS is run on another cluster that originally owned the same CMS.  When that is the case, administrators need to take a manual step to re-enable the VCO in order to ensure that the other online CMS continues to function properly.

Additional steps to re-enable the machine account are documented at https://technet.microsoft.com/en-us/library/bb738150.aspx.

“Because the cluster nodes are running Windows Server 2008, after you run Setup /ClearLocalCMS, the virtual computer object (VCO) will be disabled. To re-enable the VCO, click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers. Expand the domain, expand Computers, right-click the CMS VCO, and then click Enable Account.”

Here are sample LDP dumps showing the enabled account and disabled account.

  • Enabled VCO:

Expanding base 'CN=TEST-CLUSTER,CN=Computers,DC=exchange,DC=msft'...
Getting 1 entries:
Dn: CN=TEST-CLUSTER,CN=Computers,DC=exchange,DC=msft
accountExpires: 9223372036854775807 (never);
badPasswordTime: 0 (never);
badPwdCount: 0;
cn: TEST-CLUSTER;
codePage: 0;
countryCode: 0;
distinguishedName: CN=TEST-CLUSTER,CN=Computers,DC=exchange,DC=msft;
dNSHostName: TEST-CLUSTER.exchange.msft;
dSCorePropagationData: 0x0 = (  );
instanceType: 0x4 = ( WRITE );
isCriticalSystemObject: FALSE;
lastLogoff: 0 (never);
lastLogon: 0 (never);
localPolicyFlags: 0;
logonCount: 0;
name: TEST-CLUSTER;
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=exchange,DC=msft;
objectClass (5): top; person; organizationalPerson; user; computer;
objectGUID: 90c511fa-6dcc-4357-8d2e-3762bfc62ce2;
objectSid: S-1-5-21-3347541649-2078682762-2984813736-1143;
primaryGroupID: 515 = ( GROUP_RID_COMPUTERS );
pwdLastSet: 3/15/2009 10:42:37 AM Eastern Daylight Time;
sAMAccountName: TEST-CLUSTER$;
sAMAccountType: 805306369 = ( MACHINE_ACCOUNT );
servicePrincipalName (6): MSServerClusterMgmtAPI/TEST-CLUSTER.exchange.msft; MSServerClusterMgmtAPI/TEST-CLUSTER; MSClusterVirtualServer/TEST-CLUSTER.exchange.msft; MSClusterVirtualServer/TEST-CLUSTER; HOST/TEST-CLUSTER.exchange.msft; HOST/TEST-CLUSTER;
userAccountControl: 0x1020 = ( PASSWD_NOTREQD | WORKSTATION_TRUST_ACCOUNT );
uSNChanged: 671913;
uSNCreated: 671898;
whenChanged: 3/15/2009 10:42:38 AM Eastern Daylight Time;
whenCreated: 3/15/2009 10:40:46 AM Eastern Daylight Time;

-----------

 

  • Disabled VCO after removing the cluster resources.

Expanding base 'CN=TEST-CLUSTER,CN=Computers,DC=exchange,DC=msft'...
Getting 1 entries:
Dn: CN=TEST-CLUSTER,CN=Computers,DC=exchange,DC=msft
accountExpires: 9223372036854775807 (never);
badPasswordTime: 0 (never);
badPwdCount: 0;
cn: TEST-CLUSTER;
codePage: 0;
countryCode: 0;
distinguishedName: CN=TEST-CLUSTER,CN=Computers,DC=exchange,DC=msft;
dNSHostName: TEST-CLUSTER.exchange.msft;
dSCorePropagationData: 0x0 = (  );
instanceType: 0x4 = ( WRITE );
isCriticalSystemObject: FALSE;
lastLogoff: 0 (never);
lastLogon: 0 (never);
localPolicyFlags: 0;
logonCount: 0;
name: TEST-CLUSTER;
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=exchange,DC=msft;
objectClass (5): top; person; organizationalPerson; user; computer;
objectGUID: 90c511fa-6dcc-4357-8d2e-3762bfc62ce2;
objectSid: S-1-5-21-3347541649-2078682762-2984813736-1143;
primaryGroupID: 515 = ( GROUP_RID_COMPUTERS );
pwdLastSet: 3/15/2009 10:42:37 AM Eastern Daylight Time;
sAMAccountName: TEST-CLUSTER$;
sAMAccountType: 805306369 = ( MACHINE_ACCOUNT );
servicePrincipalName (6): MSServerClusterMgmtAPI/TEST-CLUSTER.exchange.msft; MSServerClusterMgmtAPI/TEST-CLUSTER; MSClusterVirtualServer/TEST-CLUSTER.exchange.msft; MSClusterVirtualServer/TEST-CLUSTER; HOST/TEST-CLUSTER.exchange.msft; HOST/TEST-CLUSTER;
userAccountControl: 0x1022 = ( ACCOUNTDISABLE | PASSWD_NOTREQD | WORKSTATION_TRUST_ACCOUNT );
uSNChanged: 671916;
uSNCreated: 671898;
whenChanged: 3/15/2009 10:45:02 AM Eastern Daylight Time;
whenCreated: 3/15/2009 10:40:46 AM Eastern Daylight Time;

-----------