+ Post New Thread
Page 2 of 3 FirstFirst 123 LastLast
Results 16 to 30 of 42
Windows Server 2000/2003 Thread, Server Down - Administrator Cannot Login / Directory Services Unavailable in Technical; Originally Posted by Michael The link IanT posted looks promising and would definitely be something I would explore. If the ...
  1. #16

    EduTech's Avatar
    Join Date
    Aug 2007
    Location
    Reading
    Posts
    5,062
    Thank Post
    160
    Thanked 920 Times in 723 Posts
    Blog Entries
    3
    Rep Power
    272
    Quote Originally Posted by Michael View Post
    The link IanT posted looks promising and would definitely be something I would explore. If the backup doesn't work, then it doesn't work. You can't be held responsible for this! It sounds to me you're doing a fab job given the circumstances.
    Thanks Mate, I will do that but at the moment you can't even login to the server anymore because of the error it shows with regards to directory services. Joyful!

    James.

  2. #17

    nephilim's Avatar
    Join Date
    Nov 2008
    Location
    Dunstable
    Posts
    11,935
    Thank Post
    1,628
    Thanked 1,898 Times in 1,410 Posts
    Blog Entries
    2
    Rep Power
    429
    James, when you log in, find out if there is any form of software like logmein or something to that effect, or if the VPNs have had recent log ins that weren't you. If yes to either then get as many details as possible and disable both.

    From there you should be able to determine if any malicious action took place.

    As for the password....ERD Commander works on SBS no problem so you should be able to change the password. Also whilst there, change domain passwords and any admin passwords. Letter number symbol combinations. Tell the boss its a security measure until you find out whats happened.

  3. #18


    Join Date
    Mar 2009
    Location
    Leeds
    Posts
    6,591
    Thank Post
    228
    Thanked 856 Times in 735 Posts
    Rep Power
    296
    and if/when you get it back up a a dc do a search for any account with domain/enterprise admin level and change passwords/disable its possible they had an account hidden somewhere

  4. #19

    EduTech's Avatar
    Join Date
    Aug 2007
    Location
    Reading
    Posts
    5,062
    Thank Post
    160
    Thanked 920 Times in 723 Posts
    Blog Entries
    3
    Rep Power
    272
    Quote Originally Posted by nephilim View Post
    James, when you log in, find out if there is any form of software like logmein or something to that effect, or if the VPNs have had recent log ins that weren't you. If yes to either then get as many details as possible and disable both.

    From there you should be able to determine if any malicious action took place.

    As for the password....ERD Commander works on SBS no problem so you should be able to change the password. Also whilst there, change domain passwords and any admin passwords. Letter number symbol combinations. Tell the boss its a security measure until you find out whats happened.
    Yeah I will be looking into how it happened once i get it up and running, I know what the password is Admin wise because i set it up the reason it is not working is because Logon Services / Directory Services is shafted! so it's like disabling the local admin password on a laptop and that dropping of the domain sometimes you do get a bit stuck.

    So at the moment the passwords are not an issue, the fact is Directory Services is really really broken and in order to fix it i need the files from my backup that i have but it is on an LTO3 tape and I don't have a spare drive on another Server and the one they have is internal.

    SO IF ANYONE IN BIRMINGHAM/WEST MIDLANDS HAS AN LTO3 DRIVE I WOULD LIKE TO COME AND USE IT PLEASE YOU WILL BE DOING ME A HUGE FAVOUR! IF NOT I SHALL ORDER ONE NEXT DAY.

    Passwords that I set had Numbers, Symbols, Upper and Lower Case Letters so it's not like he could of guessed it afterwards.

    I was going to be resetting all USER accounts this afternoon to be changed, but that kind of never happened because it is broke.

    James.

  5. #20

    EduTech's Avatar
    Join Date
    Aug 2007
    Location
    Reading
    Posts
    5,062
    Thank Post
    160
    Thanked 920 Times in 723 Posts
    Blog Entries
    3
    Rep Power
    272
    Quote Originally Posted by sted View Post
    and if/when you get it back up a a dc do a search for any account with domain/enterprise admin level and change passwords/disable its possible they had an account hidden somewhere
    I already checked Domain Admin / Enterprise Admins and only myself, admin account and some SQL Account was in there and I changed all passwords to very secure passwords

    James.

  6. #21

    nephilim's Avatar
    Join Date
    Nov 2008
    Location
    Dunstable
    Posts
    11,935
    Thank Post
    1,628
    Thanked 1,898 Times in 1,410 Posts
    Blog Entries
    2
    Rep Power
    429
    Active directory is easy to fix...get the SBS install disk, Uninstalled ADUC, reinstall it and tell it to pick up the old domain tree files.

    It will pick them up and kick it back into shape. Only thing you may have to do is re do some of the GPO stuff as I found doing that sometimes loses GPO settings, so in that instance export your GPO settings and reimport them after.

    Disclaimer - this method has been used twice by me in the past on server 2008r2. Whether it works for 2003 SBS remains to be seen and I take no responsibility for loss of server functionality if it fails.

  7. #22

    Join Date
    Jan 2006
    Location
    Surburbia
    Posts
    2,178
    Thank Post
    74
    Thanked 307 Times in 243 Posts
    Rep Power
    115
    the reason it is not working is because Logon Services / Directory Services is shafted!
    Seconded and although AD usually survives them, I think the most likely explanation for this is an abrupt reset e.g. power outage or h/w glitch, as opposed to something malicious.

  8. #23
    IanT's Avatar
    Join Date
    Aug 2008
    Location
    @ the back of my server racks farting.....
    Posts
    1,891
    Thank Post
    2
    Thanked 118 Times in 109 Posts
    Rep Power
    60
    James - How you getting on?

  9. #24

    EduTech's Avatar
    Join Date
    Aug 2007
    Location
    Reading
    Posts
    5,062
    Thank Post
    160
    Thanked 920 Times in 723 Posts
    Blog Entries
    3
    Rep Power
    272
    I have managed to hunt down someone with a spare backup server which i have put my Storageworks Ultrium 920 (LTO3) drive into and I have managed to get the system state from the backup i created (so that is a good start).

    I have taken an image of the server as it is, just incase somthing crazy happens during this process I still will be able to get access to any data using a Virtual Machine and attaching the VHD. (just a precaution).

    That has nearly finished, I will then boot into Windows Server 2008 R2 and copy the Files required on to the broken box replacing the broken/corrupt files and then touch wood it should boot. The .dic files is restored, and it looks like that is the main culprit that needs replacing.

    I shall let you know more soon as I have then copy done.

    James.

  10. #25

    EduTech's Avatar
    Join Date
    Aug 2007
    Location
    Reading
    Posts
    5,062
    Thank Post
    160
    Thanked 920 Times in 723 Posts
    Blog Entries
    3
    Rep Power
    272
    Quick Update whilst i intake some coffee....

    Server is now back online, Microsoft are going to look at my event logs BUT! here is where it gets scary/annoying/making me want to cry!

    - Many IMPORTANT Folders have been deleted from server, including Main Database
    - Exchange has been removed
    - Backup Exec has been removed
    - Anti-Virus has been removed
    - amongst a few other things that DO NOT just disappear!

    - Event Logs were clean until the morning of Tuesday where events were being logged
    - Passwords to WatchGuard Firewall no longer work
    - CCTV has been turned off for quite a bit of time (I was not even aware of it until i mentioned can we see)
    - the NTDS.DIT File was actually MISSING as oppose to being there and corrupt

    So, one thing i think i can gather is this was not done by accident also i believe you cannot reset a WatchGuard Firewall without being on-site to put it into safe mode so it leads me to think it was actually done on site. (need to think in a bit more detail)

    I have so much to do, my hair is falling out! I have a backup which is missing data because someone unselected some important things (i.e. the database) and obviously i were not to know this as whom would of though someone would do such a thing.

    Complete Nightmare! another late night for me... loads of stuff i need to fix and get back online... and i need to work out how the bloody hell this has happened ready for the police tomorrow!

    Not Fun, and definitely not something i expected to be dealing after being here for 4 days!

  11. #26
    bodminman's Avatar
    Join Date
    Apr 2007
    Location
    Sunny Suffolk
    Posts
    1,153
    Thank Post
    724
    Thanked 224 Times in 116 Posts
    Rep Power
    84
    If it's a late one, make sure you get yourself a good pizza delivered and a few Red Bulls!

    In all seriousness though I'm glad headway has been made albeit only a little!

  12. #27

    john's Avatar
    Join Date
    Sep 2005
    Location
    London
    Posts
    10,611
    Thank Post
    1,496
    Thanked 1,051 Times in 920 Posts
    Rep Power
    303
    Slightly confused with the reference to 2008 R2 and SBS 2003, if the box is SBS 2003 surely you should have restored it with SBS 2003 files / server 2003 files as putting 2008 R2 over it will remove exchange etc?

  13. #28

    Join Date
    Jan 2006
    Location
    Surburbia
    Posts
    2,178
    Thank Post
    74
    Thanked 307 Times in 243 Posts
    Rep Power
    115
    I think 2008R2 is about booting a CD that understands NTFS and can copy files to the C: drive - could have been a bartPE (my "weapon" of choice) or any other equivalent.

    has been removed
    Is that gracefully removed i.e. are there logs files kicking around (with timestamps), or was it simply folders, or simply files "deleted".

    Meanwhile someone's got to do the other-side thing, so I note:

    1) all the things you mentioned are ones which keep often busy files open, not readily delete-able. [But that certainly applies to registry, which presuambly was OK then?]
    2) chkdsk is very good at disappearing files when clearing up broken file systems

    For me at this distance without little info., Windows event logs etc., the firewall password is best smoking gun - don't know about that one, but I've yet to see a 1/2 serious one that doesn't keep track of admin logons and password changes.

  14. #29

    nephilim's Avatar
    Join Date
    Nov 2008
    Location
    Dunstable
    Posts
    11,935
    Thank Post
    1,628
    Thanked 1,898 Times in 1,410 Posts
    Blog Entries
    2
    Rep Power
    429
    James its clear that it was done onsite, and if CCTV logs are missing, then surely the security personnel have some sort of logging system as to who logs into the building. Beyond that it might be worth while speaking to the CEO...Give me a PM as I may be able to help with a few bits of the event logs and such like

  15. #30

    EduTech's Avatar
    Join Date
    Aug 2007
    Location
    Reading
    Posts
    5,062
    Thank Post
    160
    Thanked 920 Times in 723 Posts
    Blog Entries
    3
    Rep Power
    272
    Thanks Guys for the info,

    @john the reason i chose Server 2008 R2 was because I was able to copy the files from the system state i needed to get the box back up such as (Registry / Active Directory Folders) plenty of other ways but it just works with 2008R2/Win7 I know there are other ways but that is what i chose as it worked.

    Folders have been deleted as a whole, most of the Windows Directory is in the recycle bin amongst other things such as Exchange Info Store is no where to be seen including the logs.

    I am probably going to remove some bits here now from Public Domain with such services now being involved as of tomorrow morning so excuse the edits, just think it might be best I for one did not think it could get this serious.

    @Carl - I shall speak to you later

    James.

SHARE:
+ Post New Thread
Page 2 of 3 FirstFirst 123 LastLast

Similar Threads

  1. Logging Failed Administrator Login Attempts
    By farquea in forum Windows
    Replies: 4
    Last Post: 24th March 2011, 10:13 AM
  2. [MDT] Auto Login as Administrator
    By deano in forum O/S Deployment
    Replies: 5
    Last Post: 7th October 2010, 12:49 PM
  3. Replies: 2
    Last Post: 14th September 2009, 08:51 AM
  4. How to prevent domain administrator login on workstations?
    By ronanian in forum Wireless Networks
    Replies: 8
    Last Post: 4th August 2009, 08:59 PM
  5. Replies: 3
    Last Post: 6th October 2007, 10:30 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •