In Windows 2008 clusters, by default, all network name resources are enabled for Kerberos. This causes the cluster service to create a machine account for the network name resource. This is known a VCO or Virtual Computer Object.
When the machine account associated with a network name is deleted the network name in cluster will fail to come online.
There are events in the system log associated with this action which help to explain why.
Log Name: System
Date: 8/16/2009 3:31:40 PM
Event ID: 1207
Task Category: Network Name Resource
Cluster network name resource ‘Network Name (MBX-1)’ cannot be brought online. The computer object associated with the resource could not be updated in domain ‘domain.com’ for the following reason:
Unable to find computer account on DC where it was created.
The text for the associated error code is: There is no such object on the server.
The cluster identity ‘CLUSTER-1$’ may lack permissions required to update the object. Please work with your domain administrator to ensure that the cluster identity can update computer objects in the domain.
Cluster is aware of the DC where the object was created, and stamps this property as a private property of the network name resource.
cluster.exe <clusterFQDN> res “Network Name (MBX-1)” /priv
Listing private properties for ‘Network Name (MBX-1)’:
T Resource Name Value
— ——————– —————————— ———————–
BR Network Name (MBX-1) ResourceData 01 00 00 00 … (260 bytes)
DR Network Name (MBX-1) StatusNetBIOS 0 (0x0)
DR Network Name (MBX-1) StatusDNS 0 (0x0)
DR Network Name (MBX-1) StatusKerberos 8240 (0x2030)
SR Network Name (MBX-1) CreatingDC \\DC-1.domain.com
FTR Network Name (MBX-1) LastDNSUpdateTime 8/14/2009 3:07:59 AM
SR Network Name (MBX-1) ObjectGUID 01e46402b3cc8a4fa124bd76a3801f69
S Network Name (MBX-1) Name MBX-1
S Network Name (MBX-1) DnsName MBX-1
D Network Name (MBX-1) RemapPipeNames 0 (0x0)
D Network Name (MBX-1) RequireDNS 0 (0x0)
D Network Name (MBX-1) RequireKerberos 1 (0x1)
D Network Name (MBX-1) HostRecordTTL 1200 (0x4b0)
D Network Name (MBX-1) RegisterAllProvidersIP 0 (0x0)
D Network Name (MBX-1) PublishPTRRecords 0 (0x0)
D Network Name (MBX-1) TimerCallbackAdditionalThreshold 5 (0x5)
D Network Name (MBX-1) MSExchange_NetName 1 (0x1)
S Network Name (MBX-1) RequireKerbero 0
S Network Name (MBX-1) requirekerbeoros 1
S Network Name (MBX-1) requirekeberos 1
You’ll also note that the requireKerberos setting is set to 1 = enabled.
There are other ways to recover the VCO, but from an Exchange standpoint I find these to be the easiest…
1) Create a new machine account in the desired container with the same name as the VCO / CNO.
2) Using this blog post establish the permissions for the CNO on the new VCO. (http://blogs.technet.com/timmcmic/archive/2009/02/24/permissions-required-for-the-cno-cluster-name-object-in-windows-2008-for-exchange-2007-sp1-setup-operations.aspx)
3) Ensure the new machine account is disabled and allow time for ad replication.
4) Ensure that you have your Exchange 2007 SP1 media on hand.
5) Ensure that all resources in the CMS cluster group have been taken offline.
6) Using the media and a command prompt, run the following command –> setup.com /clearLocalCMS.
7) Recover the CMS to the cluster –> setup.com /recoverCMS /cmsName:<NAME> /cmsIPAddress:<IPAddress> or setup.com /recoverCMS /cmsName:<NAME> /cmsIPv4Addresses:<IPAddress1>,<IPAddress2>
When these steps are completed all Exchange resources should now be available and online as well as the new machine account created in an enabled state.