services not starting
have all sorts of issues with one of my dc's today, these services wont start even after a reboot
com+ event system
com+ system application
there no clues in the event viewer services wont start regardless and they all depend on each other.
I would just demot the server but dcpromo wont work becuase dfs isnt running becuase the other services wont run.
no new software has gone on the server either, not sure what to do now,
is it possible to create a new server with same name and then switch off old and rejoin new server to domain?
Why does it need to be the same name?
server is called srv-dc1 this is the problem one, doesnt have to be just like to have dc1,dc2,dc3
As long as you have another healthy DC I would prep another one and transfer or more likely seize any FSMO roles over the other one may have had and then don't turn it on again. You can then remove the account and look at metadata clean up options if needed. Is there a chance the AV is interfering ?
Took the words out of my mouth. Funnily enough, not long ago I was reading a blog post about Kaspersky stopping DFS replication running.
Originally Posted by ChrisH
You might want to check connectivity between the server and target.
Also read this KB article about lengthening the timeout period for the service to start from 30 secs to see if something is taking a long time to start up (this article is not directly about your issue but does show you how to extend the time services have to start).
sorted it, it was a missing reg files that are used to control the vss, restore the missing reg and rebooted and everything is working fine now
Missing Registry keys eh?
I would also suggest that you consider changing all of your admin level account passwords and enable detailed auditing of your event logs.
I have seen this when an admin level account has been compromised, we saw several Servers systematically destroyed in a single day on one site.
Who else has rights to delete registry entries....
Auditing login failures is common but if one of your service accounts has been compromised you need to know when an admin level account logs on to one of your servers without you knowing.
In our case once advanced auditing was enabled we quickly discovered that an admin level Ranger service account was being used by a backdoor Trojan on a machine used by the network admin!
Get this, it had no AV installed and was regularly used to surf Russian Websites!!!
This machine in turn had infected and damaged dozens of others.
Once an account with admin level privilege is compromised a script kiddie can execute almost anything against anything.
Eg. SC \\remotecomputer delete newservice binpath= c:\windows\system32\newserv.exe and that's just a text book example, nothing as twisted and complex as they can be.
These scripts can be automated run by AT commands and be called as payloads by other common parasitic processes and don't think your AV will help you as this will be the first service to be removed!
Trust no one, especially those user accounts with admin privileges...:evil_twisted: especially those used rarely. Disable all infrequently used admin level accounts until you know they are safe.
These exploits can be common payloads for conficker variant infections.