• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 567
  • Last Modified:

Move Domain Information From One SBS 2003 Image to Another

Hello Experts,

We have a client who's server running small business server 2003 recently got infected.  We cleaned it off but it looks like there is some corruption and a reload may be in order.  What I'm wondering is if there is a way to get another server running server 2003 standard and AD and set it up as a GC so it gets all the information from that domain and then use that to push it to another server running SBS.  Basically I want to see if its possible to reload the server without having to completely remove and rejoin every computer, move over all the profiles, etc....
1 Solution
Will SzymkowskiSenior Solution ArchitectCommented:
Was this the only DC in the environment? If it was then you can resotre the DC using an image backup (acronis etc) to recover this machine before it was infacted. You can only use this method if this DC was the only DC in the environment.

You can also rebuild the DC using 2003 Standard and then do a System State restore to this DC, if it is the only DC in the environment.

If you have another DC in your enivronment that is not infected, it is recommended to Seize the roles to the DC that is online and decommission the other DC as necessary.

Seizing FSMO Roles: http://technet.microsoft.com/en-us/library/cc816779(v=ws.10).aspx

This also includes cleaning up the metadata

Cliff GaliherCommented:
The only way to preserve AD is to do a new install of SBS in migration mode. You will literally have to go through a migration, just as if you were migrating to 2008 or 2011. This is because of the SBS restrictions on domain trusts. The only way to get SBS to join an existing domain is during the install and that must be done in migration mode.

That is the technical answer. Now for the "real" answer (in my opinion.)

Once a domain controller has been infected, the domain is no longer trustworthy. The SAM database has been compromised. Reversing password hashes is not particularly difficult for most 2003 era domains. Plus there are a lot of other AD underpinnings that are in play as well. This is why the DC is the holy grail of a network and most Microsoft guidance is *do not run applications on your domain controllers.*

A compromised server is easy to rebuild. A compromised domain controller usually means rebuilding the domain.

That means building up a new domain. Creating new users. Copying over the data and resetting ACLs. Exporting and importing mailboxes. And disjoining member servers and client machines from the old domain and joining them to the new domain.

Is it a lot of work? Yes. Is it disruptive? Yes. Is it avoidable? In my opinion, no. Once a DC has been compromised, this is the *only* safe way to protect yourself from future attacks based on information gathered (or planted) while the DC was compromised. There just is no substitute.
ctagleAuthor Commented:
As much as I don't like it that was my thinking as well, I guess I just needed someone to reaffirm it lol.  Thank you for the information.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now