Identifying Stale Cluster Computer Objects

18 Aug


In summary:

  • the pwdLastSet property of the CNO and VCO in AD should be refreshed every 30 days by default (just like workstation passwords). If the last password set is much longer than 30 days, it should indicate stale cluster objects.
  • By default, when a cluster Network Name resource is deleted or if a cluster is destroyed, the CNO and VCO’s are placed in a disabled state.  Any cluster computer object which is in a Disabled state is no longer being used by the cluster.
  • When destroy a cluster, use –CleanupAD switch to the Remove-Cluster in powershell to remove the CNO and VCO instead of putting them in a disabled state as above.
  • CNO and VCO contains SPN “MSClusterVirtualServer”, so you can identity which computer object is cluster by quering its SPN service.




Leave a comment

Posted by on August 18, 2011 in Windows



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: