James, when you log in, find out if there is any form of software like logmein or something to that effect, or if the VPNs have had recent log ins that weren't you. If yes to either then get as many details as possible and disable both.
From there you should be able to determine if any malicious action took place.
As for the password....ERD Commander works on SBS no problem so you should be able to change the password. Also whilst there, change domain passwords and any admin passwords. Letter number symbol combinations. Tell the boss its a security measure until you find out whats happened.
and if/when you get it back up a a dc do a search for any account with domain/enterprise admin level and change passwords/disable its possible they had an account hidden somewhere
So at the moment the passwords are not an issue, the fact is Directory Services is really really broken and in order to fix it i need the files from my backup that i have but it is on an LTO3 tape and I don't have a spare drive on another Server and the one they have is internal.
SO IF ANYONE IN BIRMINGHAM/WEST MIDLANDS HAS AN LTO3 DRIVE I WOULD LIKE TO COME AND USE IT PLEASE :D YOU WILL BE DOING ME A HUGE FAVOUR! IF NOT I SHALL ORDER ONE NEXT DAY.
Passwords that I set had Numbers, Symbols, Upper and Lower Case Letters so it's not like he could of guessed it afterwards.
I was going to be resetting all USER accounts this afternoon to be changed, but that kind of never happened because it is broke.
Active directory is easy to fix...get the SBS install disk, Uninstalled ADUC, reinstall it and tell it to pick up the old domain tree files.
It will pick them up and kick it back into shape. Only thing you may have to do is re do some of the GPO stuff as I found doing that sometimes loses GPO settings, so in that instance export your GPO settings and reimport them after.
Disclaimer - this method has been used twice by me in the past on server 2008r2. Whether it works for 2003 SBS remains to be seen and I take no responsibility for loss of server functionality if it fails.
Seconded and although AD usually survives them, I think the most likely explanation for this is an abrupt reset e.g. power outage or h/w glitch, as opposed to something malicious.Quote:
the reason it is not working is because Logon Services / Directory Services is shafted!
James - How you getting on? :)
I have managed to hunt down someone with a spare backup server which i have put my Storageworks Ultrium 920 (LTO3) drive into and I have managed to get the system state from the backup i created (so that is a good start).
I have taken an image of the server as it is, just incase somthing crazy happens during this process I still will be able to get access to any data using a Virtual Machine and attaching the VHD. (just a precaution).
That has nearly finished, I will then boot into Windows Server 2008 R2 and copy the Files required on to the broken box replacing the broken/corrupt files and then touch wood it should boot. The .dic files is restored, and it looks like that is the main culprit that needs replacing.
I shall let you know more soon as I have then copy done. :)
Quick Update whilst i intake some coffee....
Server is now back online, Microsoft are going to look at my event logs BUT! here is where it gets scary/annoying/making me want to cry!
- Many IMPORTANT Folders have been deleted from server, including Main Database
- Exchange has been removed
- Backup Exec has been removed
- Anti-Virus has been removed
- amongst a few other things that DO NOT just disappear!
- Event Logs were clean until the morning of Tuesday where events were being logged
- Passwords to WatchGuard Firewall no longer work
- CCTV has been turned off for quite a bit of time (I was not even aware of it until i mentioned can we see)
- the NTDS.DIT File was actually MISSING as oppose to being there and corrupt
So, one thing i think i can gather is this was not done by accident also i believe you cannot reset a WatchGuard Firewall without being on-site to put it into safe mode so it leads me to think it was actually done on site. (need to think in a bit more detail)
I have so much to do, my hair is falling out! I have a backup which is missing data because someone unselected some important things (i.e. the database) and obviously i were not to know this as whom would of though someone would do such a thing.
Complete Nightmare! another late night for me... loads of stuff i need to fix and get back online... and i need to work out how the bloody hell this has happened ready for the police tomorrow!
Not Fun, and definitely not something i expected to be dealing after being here for 4 days! :(
If it's a late one, make sure you get yourself a good pizza delivered and a few Red Bulls!
In all seriousness though I'm glad headway has been made albeit only a little!
Slightly confused with the reference to 2008 R2 and SBS 2003, if the box is SBS 2003 surely you should have restored it with SBS 2003 files / server 2003 files as putting 2008 R2 over it will remove exchange etc?
I think 2008R2 is about booting a CD that understands NTFS and can copy files to the C: drive - could have been a bartPE (my "weapon" of choice) or any other equivalent.
Is that gracefully removed i.e. are there logs files kicking around (with timestamps), or was it simply folders, or simply files "deleted".Quote:
has been removed
Meanwhile someone's got to do the other-side thing, so I note:
1) all the things you mentioned are ones which keep often busy files open, not readily delete-able. [But that certainly applies to registry, which presuambly was OK then?]
2) chkdsk is very good at disappearing files when clearing up broken file systems
For me at this distance without little info., Windows event logs etc., the firewall password is best smoking gun - don't know about that one, but I've yet to see a 1/2 serious one that doesn't keep track of admin logons and password changes.
James its clear that it was done onsite, and if CCTV logs are missing, then surely the security personnel have some sort of logging system as to who logs into the building. Beyond that it might be worth while speaking to the CEO...Give me a PM as I may be able to help with a few bits of the event logs and such like :)
Thanks Guys for the info,
@john the reason i chose Server 2008 R2 was because I was able to copy the files from the system state i needed to get the box back up such as (Registry / Active Directory Folders) plenty of other ways but it just works with 2008R2/Win7 I know there are other ways but that is what i chose as it worked.
Folders have been deleted as a whole, most of the Windows Directory is in the recycle bin amongst other things such as Exchange Info Store is no where to be seen including the logs.
I am probably going to remove some bits here now from Public Domain with such services now being involved as of tomorrow morning so excuse the edits, just think it might be best I for one did not think it could get this serious.
@Carl - I shall speak to you later