- the pwdLastSet property of the CNO and VCO in AD should be refreshed every 30 days by default (just like workstation passwords). If the last password set is much longer than 30 days, it should indicate stale cluster objects.
- By default, when a cluster Network Name resource is deleted or if a cluster is destroyed, the CNO and VCO’s are placed in a disabled state. Any cluster computer object which is in a Disabled state is no longer being used by the cluster.
- When destroy a cluster, use –CleanupAD switch to the Remove-Cluster in powershell to remove the CNO and VCO instead of putting them in a disabled state as above.
- CNO and VCO contains SPN “MSClusterVirtualServer”, so you can identity which computer object is cluster by quering its SPN service.