Improve company productivity with a Business Account.Sign Up

x
?
Solved

Deleted Shortcuts, SYSVOL, and files inside of directories on C: - No clues.

Posted on 2006-10-24
2
Medium Priority
?
366 Views
Last Modified: 2006-11-18
Recently we experienced an outage, the SYSVOL was deleted or moved by whom or how we do not know. When this happened the SYSVOL
replicated to all of our 20+ DC's at our remote branches. We were forced to perform authoritative restores to the servers to get everything back up.

At now three of our remote sites, It appears that some script or app walked the C: drive and rm'd all of the files inside of directories. In two cases, the
servers were very messed up and reloads were performed. On one server, the deletion of files seemed to stop after the "Documents and Settings" directories, so
no user profiles have shortcuts, administrative tools, etc. on this system.

We have checked everything we can think of, We've ran HiJackThis, Spybot, and many other malware and spyware tools in an effort to find something, We copied all
of the event logs from the "compramised" systems using forensics tools. and re-reviewed the event logs as well.

We have aroud 20 WIndows Server 2003 Sp1 DC's, all of them on Dell PowerEdge 1800 class hardware, and one remaining Windows 2000 Sp4 DC(we are working on demoting this)

The "missing files on C:\" happened to only 3 Windows 2003 Sp1 DC's at remote branches, no other servers experienced this issues. The missing SYSVOL issue affected
all DC's of course when it happened.

We do not believe any administrative accounts were compramised.

My Questions are:

1. Does this make sense to anyone? Has anyone seen this or know how I could determine what caused this random file deletions on these three DC's?
2. We know what files were removed on the 3DC's can we watch these files on the remaining DC's and alert if they are removed somehow?(how?)
3. Is there a way to watch the SYSVOL and be alerted if any specific files/folders are Deleted?

Thanks so much in advance.
0
Comment
Question by:shaaad
  • 2
2 Comments
 
LVL 27

Expert Comment

by:Pber
ID: 17799146
The sysvol is a junction point.  If you create a shortcut to it then delete the shortcut, it will delete the sysvol.  Nice hey?
http://www.mcse.ms/archive173-2004-7-842431.html


See this for the future is you haven't already:
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B315457

0
 
LVL 27

Accepted Solution

by:
Pber earned 1500 total points
ID: 17799169
See this as well, since you still have one 2000 DC:
http://support.microsoft.com/default.aspx/kb/324308

As far as monitoring the files, you can see this:
http://www.microsoft.com/technet/scriptcenter/guide/sas_fil_impx.mspx?mfr=true
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
Watch the video to know how one can repair corrupt Exchange OST file effortlessly and convert OST emails to MS Outlook PST file format by using Kernel for OST to PST converter tool. It can convert OST to MSG, MBOX, EML to access them. It can migrate…
If you are looking for an automated tool which can generate reports for Outlook emails and other items from PST file, then you can go for Kernel PST Reporter tool. The reports which are created by this tool are helpful to analyze and understand PST …

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question