CNOs/VCOs(Computer Objects) and few ways to protect them…!

If you already have experience working on Clustered Environments, you might already know about CNO(Cluster Name Object) and VCO(Virtual Computer Object). For Newbies, let me explain what CNO and VCO are in a line or two…

CNO: This is the Core piece of your Windows Cluster and acts as an identity of your Windows Cluster. This is a computer Object which will be created in your AD under Computer Node(under your Domain or OU, if you have any).  It will be same name as your Cluster.

VCO: Again, these are the Objects being created in AD under Computer Node depending on the Services and Applications which you are creating inside your Cluster. Yes, CNO is responsible for creating those VCO’s.  CNO’s should not be deleted or not even touched in terms of security by any means and by any person.  Services won’t come Online if CNO permissions are modified or CNO gets dropped accidentally, which is a potential threat for your cluster.

In order to Recover from deleted CNO situation, your Domain Admin should be involved and he/she needs to restore your Active Directory Objects which is not a simple task, especially in larger enterprises. Good News is Starting Windows Server 2008R2, we’ve something called Active Directory RecycleBin which is an awesome way to recover AD Objects. Hold on Guys….there’s a GOTCHA though!

Gotcha: AD Recycle Bin is not Enabled by Default. It has to be enabled within your Domain by your Domain Admin!

What if we communicate with our Domain/OU/Server Admins to enable some settings which basically prevents any accidental deletion of Computer Objects? It would be really nice if we could prevent that deletion action in first place right, instead of recovering after a disaster. So what can be done here? Windows Server 2008/2008R2 offers a really simple way to prevent these accidental operations(mostly Human Mistakes). There’s a small checkBox which we should enable to make this happen. Once enabled, It won’t let anyone to delete that Object.


I’m on my Domain Controller and I’ve opened AD Users and Computers from Administrative Tools. You can see WINCLUST is my CNO.

Very Imp: Now You’ve to go to View and select Advanced Features, to be able to see/perform all the available options/operations we’ve. You can see below

Now, I’m trying to protect my CNO from accidental deletion. All I’ve to do is Right click on CNO and select properties and navigate to “Object” tab and check that tiny box as shown below:)

That’s it! Is it really hard? Nope. You can check with your Domain Admins to make sure that this is checked on all your CNO’s and VCO’s.


All the New OUs are automatically set to be protected.

Any New Users/Groups are not set to be automatically protected.

Any New Computers are not set to be automatically protected.

With the protection being enabled, now let’s see what happens if we try to delete that CNO manually from my AD.

Note: Don’t even think about doing this in your Company(In the First Place, we will not be having those level of privileges). I bet, you’ll be fired the very next moment!

I got this warning Message saying, Are you really Sure about what you are trying to do here?? See below Screenshot.

Let’s say…I’m one Stupid Guy and went ahead and clicked on Yes. The below is the screenshot of what I got.

Remember I logged onto this as a Domain Administrator, even then..Windows is saying, “Uhuhhhhh….No Idiot! I’m not letting you to perform this operation unless you uncheck that tiny box which we checked earlier” 😀

Isn’t it Something Awesome Guys? I really really encourage you to check with your Server Admins on this Option being enabled if you are responsible/accountable for some Mission critical Production SQL Server Clusters.

Hope this is useful info you learnt something new! Cheers!…

Cluster Group in Failover Cluster Manager- Windows Server 2008/2008R2??…

Where did Cluster Group go starting Windows Server 2008? Did microsoft really removed the concept of Cluster group starting Win Server 2008??…

If you worked a long time on Windows Server 2003 Clusters, you will definitely know what a cluster group is. In 2003, we used to have a concept called “Groups”. One of the groups which it displays is “Cluster Group”, when you open your Cluster Administrator(Cluadmin). If you are new to clustering,  just to keep it very simple Cluster group is the Core of your Cluster. If your Cluster group is down, basically your entire cluster(all the applications, resources etc) are down.

Things got drastically changed starting Windows Server 2008. Basically we should no longer call it as “MicroSoft Cluster Services(MSCS)“. They renamed it to simply “Failover Cluster Services”. IMHO, this makes it very clear that we are not referring to NLB(Network Load Balancing) – which is one of the flavors of Clustering Services offered by Windows Servers.

Note: Failover Cluster and Network Load Balancing Cluster are completely two different entities, no way related to each other.

Anyways, let’s see where can we see the cluster Group in Failover Cluster Manager in Win Server 2008. Assuming you’ve already Installed FCS(Failover Cluster Service), once you navigate to your Administrative tools and open Failover Cluster Manager(GUI to Manage your Failover Cluster), you’ll see something very similar to the below Screeshot.

Typically we expand our Cluster and navigate to our Services and Applications, Nodes, Networks to manage our SQL Servers! But you are not able to see the actual Cluster Group anywhere as shown in the below Screenshot!

Soooo….where do i get that info!!…

All you’ve to do is to Navigate to the Main Windows cluster and expand Cluster Core Resources(This will be collapsed by default) as shown below.

Once Expanded, you could see something like the below screenshot, where we can see our Cluster Group 🙂

If you are more CMD/PS person, One Simple Way to get the list of all the Groups within our Cluster from CMD is just typing “CLUSTER GROUP” from your Command Prmt! You can see the Below Screenshot from one of the nodes in my Failover Cluster.

As you can see, we still have the Core Concept of “Cluster Group”! Don’t get confused with “Available Storage” being Offline from above Screenshot, It has nothing to with your current allocated SAN Drives(Storage). I Don’t have any extra(additional) storage available in this cluster as of now(See below Screenshot to see what I mean, as you can see all of my drives are allocated to something or other), that’s the reason this is listed as Offline for now, I believe it will appear ONLINE once i create a new SAN Drive and add to this Cluster(Pls. correct me If I’m wrong.)

Soo…the Bottom Line is…We do have Cluster Group Concept, but in stealth Mode 😉