Connecting workstations to Server 2012 Standard after Ransomware

Hi guys,

A client's network has one Server 2012 Standard and several client workstations connected to it via a single domain. This server is the only server on their network, so is also the Domain Controller and DNS server. Over the weekend, the server was attacked by Ransomware which caused all data on it to become encrypted. As no 'fix' for that Ransomware had yet been developed which didn't involve paying, we opted to pull a server image from a local daily backup which is run via Acronis Backup & Restore v11.5. Unfortunately, they'd not been switching daily between their two local backup drives, so the one connected to the machine during the attack, which has the last month's-worth of backups on it, was encrypted. As a side note, I thought Acronis' .TIB files couldn't be encrypted, but that is clearly incorrect (on a machine running Acronis, at very least). Anyway, we restored a backup from July 19th 2016 to the server and got the server back to that point with very little issue.

The current issue, however, is that two users who weren't already logged in (most users don't turn their PCs off or even log off from their session almost ever) are now unable to access the server. The one logged into the domain gets one of the two following error when they try to login:

1. The User Profile Service service failed to login. User profile cannot be loaded.
2. The trust relationship between this workstation and the primary domain failed.

This is a Windows 7 Pro workstation, for what it's worth.

One of the machines, a Windows 10 workstation, is a new machine which was deployed only last week. It was connected to the domain last week but then, when this issue happened, I tried disconnecting it from the domain, restarting the PC and reconnecting. Now, it doesn't reconnect, giving me one of the two messages:

1. The following error occurred attempting to join domain "<domain_name>":   The specified domain either does not exist or could not be contacted.
2. An Active Directory Domain Controller (AD DC) for the domain '<domain_name>" could not be contacted. Ensure the domain name is typed correctly. If the name is correct, click Details for troubleshooting information.

These alternate messages occurred at different times during my attempted fixes on the server. So far, I have attempted the fixes from the following URLs (in order):

http://www.tomshardware.com/faq/id-1943765/windows-server-2012-dns-server-accessible-unable-resolve-dns-queries.html
https://blog.blksthl.com/2013/03/18/fix-the-trust-relationship-between-this-workstation-and-the-primary-domain-failed/
https://redmondmag.com/articles/2014/04/21/domain-trust-issues.aspx

With the new machine, knowing that it wasn't around at the time the Server was restored to, I even tried adding in the Computer name in Active Directory > Users and Computers > Computers, but to no avail. With the other (Windows 7 PC), I even found a solution which suggested that in this same location I find the users PC which was already in the list, right-click on it and select 'Reset Account'. This, too, produced no results.

So, I'm out of my depth and need some assistance - please help. I suspect the fix isn't hard... I just don't know what it is.
Servant-LeggieAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Waahid JoomunCommented:
Hello Sir,

Try to remove the computer in your AD and re join to your domain on both PC. This should fix the problem.

W
Servant-LeggieAuthor Commented:
Waahid Joomun, I have done that EXCEPT FOR removing the computer first, which sounds like the important part. I will go ahead and do that and will let you know how I go.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
David Johnson, CD, MVPOwnerCommented:
For what it's worth,  you should adjust the permissions on your backup locations so that ONLY the account that Acronis is using should have read/write/modify permissions.  Administrators don't need access, Users definitely don't need access. That or do a mount share / backup / dismount share. Or have a machine that you can set the bios or send a WOL magic packet so the machine that holds the backup share starts, do your agent scheduled backups, upon completion do an automated shutdown of the machine. This will decrease your exposure time

Ransomware will encrypt ANY file that the miscreant thinks is valuable. We relied on shadow copies, they now delete shadow copies, they only went after common file types i.e. Office Documents and Image Files.. Backup's were "safe" now they also target common backup file extensions as well.
Servant-LeggieAuthor Commented:
Thanks Waahid Joomun, this worked a treat! Sorry for my slow reply.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 10

From novice to tech pro — start learning today.