Shulou(Shulou.com)06/03 Report--

In the previous article, Lao Wang repeatedly emphasized the role of CNO,VCO.

Basically, CNO and VCO, mainly responsible for providing Kerberos authentication for the cluster, provide user access as part of the administrative access point

CNO VCO needs to contact the domain controller every time it starts online. CNO will synchronize its computer password with AD, and it will also help VCO synchronize its password. CNO is responsible for maintaining the association with VCO.

It can be said that if our cluster model is deployed to the traditional AD architecture, then CNO and VCO will be very important. Once we accidentally delete the CNO or VCO objects, the cluster will not be able to go online properly and the application will not be able to Kerberos verify with the cluster.

After 2008R2, AD domain introduces the function of Recycle Bin. After turning on the Recycle Bin function, it allows AD objects to be recovered within tombstone time, but in most cases, computer objects after recovery need to resynchronize passwords.

In this article, Lao Wang will introduce to you how to restore CNO objects once they are deleted by mistake.

Experimental environment

DC&iscsi

Lan:10.0.0.2 255.0.0.0

Iscsi:30.0.0.2 255.0.0.0

HV03

MGMET:10.0.0.11 255.0.0.0 DNS 10.0.0.2

ISCSI:30.0.0.11 255.0.0.0

CLUS:18.0.0.11 255.0.0.0

HV04

MGMET:10.0.0.12 255.0.0.0 DNS 10.0.0.2

ISCSI:30.0.0.12 255.0.0.0

CLUS:18.0.0.12 255.0.0.0

The current domain controller is 2008R2, and the Recycle Bin function is enabled. After 2012, you can start the Recycle Bin function through the GUI interface.

The cluster name is currently BJcluster, with a DTC running on it, and the name is hello

The CNO/VCO information in AD is as follows

In AD after 2008, by default, when we create an AD object, we can choose whether or not to use the prevent accidental deletion feature

By default, when we create an OU, this feature is enabled by default unless we manually modify it and check the prevent accidental deletion option, the OU cannot be casually deleted unless the accidental delete option is unplaced

However, for user objects and computer objects, this feature is not enabled by default, that is, as long as an administrator with permission for AD, we can delete our computer objects

To avoid mistakenly deleting computer objects, there are two options

For CNO,VCO computer objects, check to prevent accidental deletion

two。 Uniformly set the OU level of cluster computers, and refuse Everyone to delete computer objects

The difference between the two is that one is at the OU level and the other is at the object level. Once this feature is set, ordinary administrators will not be able to delete computer objects casually.

This is a preventive measure, so let's take a look at what should be done if these preventive measures are not taken, that is, if an administrator accidentally deletes CNO.

Delete CNO object

At this time, if the current name of the cluster is online, the error will not be prompted immediately, but when the next cluster failover or cold start, there will be an error. Open the event Viewer and you can see the 1685 error.

If you look at the Cluster Log, you can see that the cluster name cannot be verified by CNO currently.

Use the ADRecycleBin tool to restore mistakenly deleted objects (2012 can be recovered through your own AD Management Center)

After the recovery is complete, you can see the restored CNO object in AD.

After restoring the computer object, we usually need to reset the password of the computer object so that the CNO computer object can work properly again

Since the beginning of WSFC2008, the cluster has built a repair mechanism for us to reset the computer password. We can reset the computer password on CNO or VCO through repair in the cluster.

To perform the repair against CNO, you need an account with administrative privileges for CNO, because we need to connect to AD and reset the password for this computer account.

To perform the repair for VCO, you need to have permission for the VCO account to execute the CNO account, so you need to ensure that the CNO account has the permission to reset the password for the VCO account.

Open failover Cluster Management tools-> Cluster Core Resources-> Cluster name-> more actions-> repair

After clicking repair, you can see that the cluster is in processing. After the processing is completed, the cluster computer object will become normal online.

You can see from the log that the repair process cluster uses our account, connects to AD, and resets the password and identity of CNO for us.

Now the cluster CNO has been restored, can work properly, and is verified by Kerberos normally.

As for the erroneous deletion and recovery operation of VCO, it is actually similar to CNO. Suppose we accidentally delete the VCO object. If the VCO name is online in advance, then the error may not be reported in the event manager in a short time. However, if the VCO object is verified by Kerberos, it will be found that it cannot be verified immediately, so the erroneous deletion of VCO object is usually found only when the application developer reports that authentication cannot be carried out. Or if the administrator looks at Cluster Log, he can see that the VCO computer object cannot be found and cannot perform authentication.

For the recovery process of VCO objects, after erroneous deletion, first use the recovery tool to restore VCO computer objects.

After the restore is complete, in the failover cluster management tool, first go offline for the VCO name

Right-click server name-> more actions-> repair

Note that the fix here is actually holding the CNO computer account to help us reset the computer password of the synchronous VCO, so we need to make sure that the CNO object has the permission to reset the password for the VCO computer object, which is available after the VCO is created by default.

After the repair is complete, the cluster role is online normally

Looking at Cluster Log, you can see that the hello VCO object has been reset to the computer password by CNO, and Kerberos authentication can now be performed normally.

As above, for the repair method after mistakenly deleting CNO,VCO objects, I hope you can get something after seeing it. Although there is a good repair mechanism after WSFC 2008, it is still recommended that you do a good job to prevent accidental deletion, which can be done at the computer level or OU level.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.