Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Connecting workstations to Server 2012 Standard after Ransomware

Posted on 2016-08-22
4
Medium Priority
?
52 Views
Last Modified: 2016-10-27
Hi guys,

A client's network has one Server 2012 Standard and several client workstations connected to it via a single domain. This server is the only server on their network, so is also the Domain Controller and DNS server. Over the weekend, the server was attacked by Ransomware which caused all data on it to become encrypted. As no 'fix' for that Ransomware had yet been developed which didn't involve paying, we opted to pull a server image from a local daily backup which is run via Acronis Backup & Restore v11.5. Unfortunately, they'd not been switching daily between their two local backup drives, so the one connected to the machine during the attack, which has the last month's-worth of backups on it, was encrypted. As a side note, I thought Acronis' .TIB files couldn't be encrypted, but that is clearly incorrect (on a machine running Acronis, at very least). Anyway, we restored a backup from July 19th 2016 to the server and got the server back to that point with very little issue.

The current issue, however, is that two users who weren't already logged in (most users don't turn their PCs off or even log off from their session almost ever) are now unable to access the server. The one logged into the domain gets one of the two following error when they try to login:

1. The User Profile Service service failed to login. User profile cannot be loaded.
2. The trust relationship between this workstation and the primary domain failed.

This is a Windows 7 Pro workstation, for what it's worth.

One of the machines, a Windows 10 workstation, is a new machine which was deployed only last week. It was connected to the domain last week but then, when this issue happened, I tried disconnecting it from the domain, restarting the PC and reconnecting. Now, it doesn't reconnect, giving me one of the two messages:

1. The following error occurred attempting to join domain "<domain_name>":   The specified domain either does not exist or could not be contacted.
2. An Active Directory Domain Controller (AD DC) for the domain '<domain_name>" could not be contacted. Ensure the domain name is typed correctly. If the name is correct, click Details for troubleshooting information.

These alternate messages occurred at different times during my attempted fixes on the server. So far, I have attempted the fixes from the following URLs (in order):

http://www.tomshardware.com/faq/id-1943765/windows-server-2012-dns-server-accessible-unable-resolve-dns-queries.html
https://blog.blksthl.com/2013/03/18/fix-the-trust-relationship-between-this-workstation-and-the-primary-domain-failed/
https://redmondmag.com/articles/2014/04/21/domain-trust-issues.aspx

With the new machine, knowing that it wasn't around at the time the Server was restored to, I even tried adding in the Computer name in Active Directory > Users and Computers > Computers, but to no avail. With the other (Windows 7 PC), I even found a solution which suggested that in this same location I find the users PC which was already in the list, right-click on it and select 'Reset Account'. This, too, produced no results.

So, I'm out of my depth and need some assistance - please help. I suspect the fix isn't hard... I just don't know what it is.
0
Comment
Question by:Servant-Leggie
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 

Expert Comment

by:Waahid Joomun
ID: 41766439
Hello Sir,

Try to remove the computer in your AD and re join to your domain on both PC. This should fix the problem.

W
0
 

Accepted Solution

by:
Servant-Leggie earned 0 total points
ID: 41766807
Waahid Joomun, I have done that EXCEPT FOR removing the computer first, which sounds like the important part. I will go ahead and do that and will let you know how I go.
0
 
LVL 83

Expert Comment

by:David Johnson, CD, MVP
ID: 41767537
For what it's worth,  you should adjust the permissions on your backup locations so that ONLY the account that Acronis is using should have read/write/modify permissions.  Administrators don't need access, Users definitely don't need access. That or do a mount share / backup / dismount share. Or have a machine that you can set the bios or send a WOL magic packet so the machine that holds the backup share starts, do your agent scheduled backups, upon completion do an automated shutdown of the machine. This will decrease your exposure time

Ransomware will encrypt ANY file that the miscreant thinks is valuable. We relied on shadow copies, they now delete shadow copies, they only went after common file types i.e. Office Documents and Image Files.. Backup's were "safe" now they also target common backup file extensions as well.
0
 

Author Closing Comment

by:Servant-Leggie
ID: 41793902
Thanks Waahid Joomun, this worked a treat! Sorry for my slow reply.
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are many software programs on offer that will claim to magically speed up your computer. The best advice I can give you is to avoid them like the plague, because they will often cause far more problems than they solve. Try some of these "do it…
What's worse than having your data encrypted by ransomware? Getting attacked by a so-called "wiper," which simply destroys the data and offers you no hope of ever seeing it again.
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question