+ Post New Thread
Page 3 of 3 FirstFirst 123
Results 31 to 42 of 42
Windows Server 2000/2003 Thread, Server Down - Administrator Cannot Login / Directory Services Unavailable in Technical; amongst a few other things that DO NOT just disappear! I have to agree here. In my experience of looking ...
  1. #31

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,241
    Thank Post
    239
    Thanked 1,567 Times in 1,249 Posts
    Rep Power
    339
    amongst a few other things that DO NOT just disappear!
    I have to agree here. In my experience of looking at trashed Active Directories, the system file and folder structure is still there, but it's typically one or more components which are corrupt.

    Your Anti-Virus application should still be in Add/Remove Programs, which would also show the file/folder structure has been deleted. Of course the other possibility is malware, but it's fairly rare on a server due to its more 'locked down' configuration in 2003/2008 Server.

  2. #32

    nephilim's Avatar
    Join Date
    Nov 2008
    Location
    Dunstable
    Posts
    11,668
    Thank Post
    1,614
    Thanked 1,867 Times in 1,385 Posts
    Blog Entries
    2
    Rep Power
    400
    I had a good look with James yesterday via teamviewer...the whole thing looks like someone sat infront of the machine and deleted a whole stack of stuff....not to mention the active directory is all over the place (users are in the restricted area but have enterprise admin!) Found a few hidden users which got blocked off as well.

  3. #33

    Join Date
    Dec 2008
    Location
    Essex
    Posts
    2,137
    Thank Post
    1
    Thanked 326 Times in 316 Posts
    Rep Power
    77
    @James - Posted in the Ent forum regarding exch. What's the latest with AD? Is this backup now? Can your browse ADSIEdit and check the config parition, dripp down to sevices>exch>and see what config is there for exch?

    Was exch 2003 deployed before all this mess?

    Are you deploying 2010 from scratch now?

    I'll keep this thread updated for exch or you can keep it seperate if it gets messy

  4. #34

    EduTech's Avatar
    Join Date
    Aug 2007
    Location
    Reading
    Posts
    5,037
    Thank Post
    160
    Thanked 908 Times in 712 Posts
    Blog Entries
    3
    Rep Power
    270
    @Sukh Basically we have brought a brand new server and I have installed Small Business Server 2011 and started from scratch re-building every single server. Microsoft's words were that the Previous SBS 2003 box was in a very very bad way! and it would take a while to rebuild AD/Exchange etc. and even then it may not be right and we end up having further more problems and then obviously the affects of that are the business gets affected. So yeah brand new SBS2011 box.

    The Old SBS box is still in it's broken state, but now boots as the NTDS.DIC file is back in it's place and the registry and been restored from a backup. Exchange etc. is all missing.

    I have looked on the backup that i managed to create on the Friday before all this happened and even though the backup was modified afterwards as stated the person whom did this may of excluded the exchange directory on the drive but did not exclude the Exchange Information Store Backup (the one you do via backup exec) so i have this, but it won't restore because it cannot contact the old SBS box or any of the exchange parts (as they are not there).

    I am able to Restore to another location, but i assume this will have to be another box with AD/Exchange. (I don't want to restore it straight to my new SBS2011 box, and to be honest i can't see that working anyway).

    Exchange 2003 was part of the SBS 2003 Installation. So yes.

    We are deploying it all from scratch, and note that it is SBS2011 and not Single instances of the Server Products.

    James.

  5. #35

    Join Date
    Jan 2006
    Location
    Surburbia
    Posts
    2,178
    Thank Post
    74
    Thanked 307 Times in 243 Posts
    Rep Power
    115
    most of the Windows Directory is in the recycle bin
    the whole thing looks like someone sat infront of the machine and deleted a whole stack of stuff
    I dropped the case against on reading about the recycle bin above.. not very likely that would get there without someone doing it via a GUI console.

  6. #36

    EduTech's Avatar
    Join Date
    Aug 2007
    Location
    Reading
    Posts
    5,037
    Thank Post
    160
    Thanked 908 Times in 712 Posts
    Blog Entries
    3
    Rep Power
    270
    Quote Originally Posted by PiqueABoo View Post
    I dropped the case against on reading about the recycle bin above.. not very likely that would get there without someone doing it via a GUI console.
    Yup, It has been done by someone I know that for sure now it's not a Server Failure and just bad timing becuase EVERY SINGLE SERVER has been messed with, Folders Deleted, Databases Deleted etc. in some or another. Because they did not backup the Dynamics AX box at all! that needs to re-build from scratch thankfully they are migrating to that new ERP System and therefore it's not too much of an issue I just need to get my head around Dynamics and get that on it's way again to being the new ERP System.

    Terminal Server was destroyed, but this also run Reporting Services amongst a few other bits and bobs.

    SBS2003 Server was destroyed which we know, that has now been rebuilt and replaced with SBS2011

    FileServer, Data was deleted but thankfully I have the backup that I made... although some folders were missing as they had been excluded such as the entire company database! (but thankfully I had copied that the minute i got here to another location, which the person was unaware off and therefore i have managed to get that back).

    So, yeah Total Network Re-Build in 2 and Half Days! not bad going... see how it goes on monday morning.

    I'll be leaving here again around midnight, as per last night too! Joyful!

    James.

  7. #37

    m25man's Avatar
    Join Date
    Oct 2005
    Location
    Romford, Essex
    Posts
    1,617
    Thank Post
    49
    Thanked 448 Times in 331 Posts
    Rep Power
    136
    I had something very similar a few years back when a compromised service account with admin rights was being used to delete files folders and objects from AD.
    It was the Microsoft guys that positively identified the offending account after enabling auditing on objects

    It started when a workstation that was being used by the schools network manager became infected with a confiker variant this station was then used in a similar manner to what you have described, servers were systematically destroyed I actually witnessed stuff disappearing from the servers screens along with system files and chunks of registries. The AV software was being removed and anarchy ruled.
    Servers would grind to a halt and when they were rebooted registry files were corrupt or missing entire folder and directories deleted.

    Once the compromised account was disabled and servers and workstations stabilised it became clear where they got in. For a while we too believed it had to be an inside job of mindless vandalism, but turned out to be a very lazy admin who failed to keep his own workstation safe.

    You also mentioned a Terminal Server, these are incredibly easy to compromise if there is nothing between them and the Internet other than port 3389 and a password.
    TSGrinder will just hack away until the local admin account gives itself up then it's game over.

    Unless your using 2 Layer Authentication on your TS disable all local admin accounts and secure it by other means.

    My IPS system has been logging port scans and TS attacks mostly from Turkey and Italy for the last few weeks and it's been getting steadily worse.
    As you have completely rebuilt your domain I take it that all of the passwords have been replaced with new ones????
    The last thing you need is one of your old user accounts and passwords to be active on your new domain again!

  8. #38

    Join Date
    Jul 2008
    Posts
    276
    Thank Post
    24
    Thanked 10 Times in 9 Posts
    Blog Entries
    2
    Rep Power
    18
    James,

    Has the MD spoken to the police yet?

  9. #39

    Join Date
    Oct 2008
    Posts
    213
    Thank Post
    2
    Thanked 11 Times in 11 Posts
    Rep Power
    21
    My priority would be securing a pay rise.

    Good luck!

  10. #40

    Join Date
    Dec 2008
    Location
    Essex
    Posts
    2,137
    Thank Post
    1
    Thanked 326 Times in 316 Posts
    Rep Power
    77
    @James

    1. If you have the edb file then it's good news. Not sure how much time you have or money to play with but either perform a restore in an islolated env and recover data, this may involve some playing around.
    2. If time is limited and the MD wants the data ASAP, then you can use tools such as Ontrack which will let you browse the edb file and you can extract the data out easily.
    3. I assume all the exch data is on the edb and there;s nothing available for the users? i.e they werent using PST file or a POP3/IMAP Client?

  11. #41

    EduTech's Avatar
    Join Date
    Aug 2007
    Location
    Reading
    Posts
    5,037
    Thank Post
    160
    Thanked 908 Times in 712 Posts
    Blog Entries
    3
    Rep Power
    270
    Quote Originally Posted by sukh View Post
    @James

    1. If you have the edb file then it's good news. Not sure how much time you have or money to play with but either perform a restore in an islolated env and recover data, this may involve some playing around.
    2. If time is limited and the MD wants the data ASAP, then you can use tools such as Ontrack which will let you browse the edb file and you can extract the data out easily.
    3. I assume all the exch data is on the edb and there;s nothing available for the users? i.e they werent using PST file or a POP3/IMAP Client?
    For quickness, but a pain in the backside for me I ended up having to manually import the PST Backups of user mailboxes when i went round to copy the contents of the local profiles to the new Home Drives (that they never had before.) I have a few users whom were not in so I will restore there mailboxes when i do the exchange restore to another 2003 Box. I do not have the .edb files because they were excluded from backups.

    Went well today to be honest, better than i thought considering the circumstances. I just need to reset the Wireless Links between the two sites (2 miles away) as they have these Access Points which join them together. (they spent loads of monet on access points as internet connections are very poor due to it being in the woods).

    And I need to find the TS CALS they have hiding somewhere to get that back online. although I am putting the remote users on to Watchguard SSL VPN Connections.

    James.

  12. #42

    EduTech's Avatar
    Join Date
    Aug 2007
    Location
    Reading
    Posts
    5,037
    Thank Post
    160
    Thanked 908 Times in 712 Posts
    Blog Entries
    3
    Rep Power
    270
    Quote Originally Posted by wizzard View Post
    James,

    Has the MD spoken to the police yet?
    Tomorrow.

    I was there until 11pm Saturday Evening, and I locked up at 1am this morning... got home did a bit more went to sleep around 4am and was back onsite for 7am. So i'm pretty damn tired now!
    Last edited by EduTech; 27th June 2011 at 07:31 PM.

SHARE:
+ Post New Thread
Page 3 of 3 FirstFirst 123

Similar Threads

  1. Logging Failed Administrator Login Attempts
    By farquea in forum Windows
    Replies: 4
    Last Post: 24th March 2011, 10:13 AM
  2. [MDT] Auto Login as Administrator
    By deano in forum O/S Deployment
    Replies: 5
    Last Post: 7th October 2010, 12:49 PM
  3. Replies: 2
    Last Post: 14th September 2009, 08:51 AM
  4. How to prevent domain administrator login on workstations?
    By ronanian in forum Wireless Networks
    Replies: 8
    Last Post: 4th August 2009, 08:59 PM
  5. Replies: 3
    Last Post: 6th October 2007, 10:30 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •