Windows Server 2000/2003 Thread, Server Down - Administrator Cannot Login / Directory Services Unavailable in Technical; amongst a few other things that DO NOT just disappear!
I have to agree here. In my experience of looking ...
23rd June 2011, 10:13 AM #31
I have to agree here. In my experience of looking at trashed Active Directories, the system file and folder structure is still there, but it's typically one or more components which are corrupt.
amongst a few other things that DO NOT just disappear!
Your Anti-Virus application should still be in Add/Remove Programs, which would also show the file/folder structure has been deleted. Of course the other possibility is malware, but it's fairly rare on a server due to its more 'locked down' configuration in 2003/2008 Server.
23rd June 2011, 10:19 AM #32
I had a good look with James yesterday via teamviewer...the whole thing looks like someone sat infront of the machine and deleted a whole stack of stuff....not to mention the active directory is all over the place (users are in the restricted area but have enterprise admin!) Found a few hidden users which got blocked off as well.
26th June 2011, 08:14 PM #33
@James - Posted in the Ent forum regarding exch. What's the latest with AD? Is this backup now? Can your browse ADSIEdit and check the config parition, dripp down to sevices>exch>and see what config is there for exch?
Was exch 2003 deployed before all this mess?
Are you deploying 2010 from scratch now?
I'll keep this thread updated for exch or you can keep it seperate if it gets messy
26th June 2011, 08:43 PM #34
@Sukh Basically we have brought a brand new server and I have installed Small Business Server 2011 and started from scratch re-building every single server. Microsoft's words were that the Previous SBS 2003 box was in a very very bad way! and it would take a while to rebuild AD/Exchange etc. and even then it may not be right and we end up having further more problems and then obviously the affects of that are the business gets affected. So yeah brand new SBS2011 box.
The Old SBS box is still in it's broken state, but now boots as the NTDS.DIC file is back in it's place and the registry and been restored from a backup. Exchange etc. is all missing.
I have looked on the backup that i managed to create on the Friday before all this happened and even though the backup was modified afterwards as stated the person whom did this may of excluded the exchange directory on the drive but did not exclude the Exchange Information Store Backup (the one you do via backup exec) so i have this, but it won't restore because it cannot contact the old SBS box or any of the exchange parts (as they are not there).
I am able to Restore to another location, but i assume this will have to be another box with AD/Exchange. (I don't want to restore it straight to my new SBS2011 box, and to be honest i can't see that working anyway).
Exchange 2003 was part of the SBS 2003 Installation. So yes.
We are deploying it all from scratch, and note that it is SBS2011 and not Single instances of the Server Products.
26th June 2011, 08:48 PM #35
most of the Windows Directory is in the recycle bin
I dropped the case against on reading about the recycle bin above.. not very likely that would get there without someone doing it via a GUI console.
the whole thing looks like someone sat infront of the machine and deleted a whole stack of stuff
26th June 2011, 08:53 PM #36
27th June 2011, 12:37 AM #37
I had something very similar a few years back when a compromised service account with admin rights was being used to delete files folders and objects from AD.
It was the Microsoft guys that positively identified the offending account after enabling auditing on objects
It started when a workstation that was being used by the schools network manager became infected with a confiker variant this station was then used in a similar manner to what you have described, servers were systematically destroyed I actually witnessed stuff disappearing from the servers screens along with system files and chunks of registries. The AV software was being removed and anarchy ruled.
Servers would grind to a halt and when they were rebooted registry files were corrupt or missing entire folder and directories deleted.
Once the compromised account was disabled and servers and workstations stabilised it became clear where they got in. For a while we too believed it had to be an inside job of mindless vandalism, but turned out to be a very lazy admin who failed to keep his own workstation safe.
You also mentioned a Terminal Server, these are incredibly easy to compromise if there is nothing between them and the Internet other than port 3389 and a password.
TSGrinder will just hack away until the local admin account gives itself up then it's game over.
Unless your using 2 Layer Authentication on your TS disable all local admin accounts and secure it by other means.
My IPS system has been logging port scans and TS attacks mostly from Turkey and Italy for the last few weeks and it's been getting steadily worse.
As you have completely rebuilt your domain I take it that all of the passwords have been replaced with new ones????
The last thing you need is one of your old user accounts and passwords to be active on your new domain again!
27th June 2011, 10:41 AM #38
- Rep Power
Has the MD spoken to the police yet?
27th June 2011, 10:56 AM #39
My priority would be securing a pay rise.
27th June 2011, 11:32 AM #40
1. If you have the edb file then it's good news. Not sure how much time you have or money to play with but either perform a restore in an islolated env and recover data, this may involve some playing around.
2. If time is limited and the MD wants the data ASAP, then you can use tools such as Ontrack which will let you browse the edb file and you can extract the data out easily.
3. I assume all the exch data is on the edb and there;s nothing available for the users? i.e they werent using PST file or a POP3/IMAP Client?
27th June 2011, 08:27 PM #41
For quickness, but a pain in the backside for me I ended up having to manually import the PST Backups of user mailboxes when i went round to copy the contents of the local profiles to the new Home Drives (that they never had before.) I have a few users whom were not in so I will restore there mailboxes when i do the exchange restore to another 2003 Box. I do not have the .edb files because they were excluded from backups.
Originally Posted by sukh
Went well today to be honest, better than i thought considering the circumstances. I just need to reset the Wireless Links between the two sites (2 miles away) as they have these Access Points which join them together. (they spent loads of monet on access points as internet connections are very poor due to it being in the woods).
And I need to find the TS CALS they have hiding somewhere to get that back online. although I am putting the remote users on to Watchguard SSL VPN Connections.
27th June 2011, 08:28 PM #42
Originally Posted by wizzard
I was there until 11pm Saturday Evening, and I locked up at 1am this morning... got home did a bit more went to sleep around 4am and was back onsite for 7am. So i'm pretty damn tired now!
Last edited by EduTech; 27th June 2011 at 08:31 PM.
By farquea in forum Windows
Last Post: 24th March 2011, 11:13 AM
By deano in forum O/S Deployment
Last Post: 7th October 2010, 01:49 PM
By eiger in forum Hardware
Last Post: 14th September 2009, 09:51 AM
By ronanian in forum Wireless Networks
Last Post: 4th August 2009, 09:59 PM
By exsupport in forum Windows
Last Post: 6th October 2007, 11:30 AM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)