All Netlogon content got disappeared

Hi Experts,

For the second time in a month, all files from Netlogon have disappeared. Only domain admins group has write permissions on sysvol tree.

There is no replication issue in place. If I create a file on a DC, it get replicated to others in minutes.

I have 5 sites and 10 DC's.

The first time the problem raised, the folder SCRIPTS itself was removed. This time only the content got removed.

If I copy all files back from backup, they get replicated again without any issue..

I suspected of human errors. Talked to all domain admins and they said nothing was being done by the time the files were removed.

Sysvol is excluded from antivirus scanning.

Object Acess Auditing had been enabled on sysvol folders for deletion. But I couldn't find anything useless in the security logs since it is so huge and from 500.000 entries maybe on or two has some to do with the problem. I don't have any log parser.

I don't think it's a replication issue, since if there is a conflict, the file would get renamed not deleted.

Any idea?

Tks

Rodrigo Garcone
garconerAsked:
Who is Participating?
 
SandeshdubeyConnect With a Mentor Senior Server EngineerCommented:
The netlogon content will not be deleted automatically it seems some one has deleted the same from one server and the same got replicated to other server as well.

I would recommend to enable auditing on the sysvol folder the next time if occurs you will get evidence from which userid it was done.

Reference link:
http://support.microsoft.com/kb/300549
http://www.techrepublic.com/article/step-by-step-how-to-audit-file-and-folder-access-to-improve-windows-2000-pro-security/5034308

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.