Solved

Connecting workstations to Server 2012 Standard after Ransomware

Posted on 2016-08-22
4
34 Views
Last Modified: 2016-10-27
Hi guys,

A client's network has one Server 2012 Standard and several client workstations connected to it via a single domain. This server is the only server on their network, so is also the Domain Controller and DNS server. Over the weekend, the server was attacked by Ransomware which caused all data on it to become encrypted. As no 'fix' for that Ransomware had yet been developed which didn't involve paying, we opted to pull a server image from a local daily backup which is run via Acronis Backup & Restore v11.5. Unfortunately, they'd not been switching daily between their two local backup drives, so the one connected to the machine during the attack, which has the last month's-worth of backups on it, was encrypted. As a side note, I thought Acronis' .TIB files couldn't be encrypted, but that is clearly incorrect (on a machine running Acronis, at very least). Anyway, we restored a backup from July 19th 2016 to the server and got the server back to that point with very little issue.

The current issue, however, is that two users who weren't already logged in (most users don't turn their PCs off or even log off from their session almost ever) are now unable to access the server. The one logged into the domain gets one of the two following error when they try to login:

1. The User Profile Service service failed to login. User profile cannot be loaded.
2. The trust relationship between this workstation and the primary domain failed.

This is a Windows 7 Pro workstation, for what it's worth.

One of the machines, a Windows 10 workstation, is a new machine which was deployed only last week. It was connected to the domain last week but then, when this issue happened, I tried disconnecting it from the domain, restarting the PC and reconnecting. Now, it doesn't reconnect, giving me one of the two messages:

1. The following error occurred attempting to join domain "<domain_name>":   The specified domain either does not exist or could not be contacted.
2. An Active Directory Domain Controller (AD DC) for the domain '<domain_name>" could not be contacted. Ensure the domain name is typed correctly. If the name is correct, click Details for troubleshooting information.

These alternate messages occurred at different times during my attempted fixes on the server. So far, I have attempted the fixes from the following URLs (in order):

http://www.tomshardware.com/faq/id-1943765/windows-server-2012-dns-server-accessible-unable-resolve-dns-queries.html
https://blog.blksthl.com/2013/03/18/fix-the-trust-relationship-between-this-workstation-and-the-primary-domain-failed/
https://redmondmag.com/articles/2014/04/21/domain-trust-issues.aspx

With the new machine, knowing that it wasn't around at the time the Server was restored to, I even tried adding in the Computer name in Active Directory > Users and Computers > Computers, but to no avail. With the other (Windows 7 PC), I even found a solution which suggested that in this same location I find the users PC which was already in the list, right-click on it and select 'Reset Account'. This, too, produced no results.

So, I'm out of my depth and need some assistance - please help. I suspect the fix isn't hard... I just don't know what it is.
0
Comment
Question by:Servant-Leggie
  • 2
4 Comments
 

Expert Comment

by:Waahid Joomun
ID: 41766439
Hello Sir,

Try to remove the computer in your AD and re join to your domain on both PC. This should fix the problem.

W
0
 

Accepted Solution

by:
Servant-Leggie earned 0 total points
ID: 41766807
Waahid Joomun, I have done that EXCEPT FOR removing the computer first, which sounds like the important part. I will go ahead and do that and will let you know how I go.
0
 
LVL 79

Expert Comment

by:David Johnson, CD, MVP
ID: 41767537
For what it's worth,  you should adjust the permissions on your backup locations so that ONLY the account that Acronis is using should have read/write/modify permissions.  Administrators don't need access, Users definitely don't need access. That or do a mount share / backup / dismount share. Or have a machine that you can set the bios or send a WOL magic packet so the machine that holds the backup share starts, do your agent scheduled backups, upon completion do an automated shutdown of the machine. This will decrease your exposure time

Ransomware will encrypt ANY file that the miscreant thinks is valuable. We relied on shadow copies, they now delete shadow copies, they only went after common file types i.e. Office Documents and Image Files.. Backup's were "safe" now they also target common backup file extensions as well.
0
 

Author Closing Comment

by:Servant-Leggie
ID: 41793902
Thanks Waahid Joomun, this worked a treat! Sorry for my slow reply.
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You may have a outside contractor who comes in once a week or seasonal to do some work in your office but you only want to give him access to the programs and files he needs and keep privet all other documents and programs, can you do this on a loca…
A quick guide on how to use Group Policy to create a custom power plan and set it active on Windows 7.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question