rpmaps
asked on
Server 2008 R2 Image Restore to Dell Perc H710
I have a Dell PowerEdge T320 running Windows Server 2008 R2 with a Perc H710 in RAID 1 that got hit with ransomware. I wanted to restore a clean image that was created with Active@ Disk Image. Using Active@ Boot Disk the restore completed successfully. Upon booting up I get a "Windows failed to start......Status: 0xc000000e Info: The boot selection failed because a required device is inaccessible."
I restarted the computer with the Server 2008 R2 DVD and clicked "Repair Your Computer". No operating system was listed so I continued on to the command prompt. Under X:\Sources I tried running bcdedit but the file was not found. I then tried x:\sources\recovery\StartR
I rebooted the server using Active@ Boot Disk and opened a command prompt. From there I was able to see all of my data including:
C: Recover
D: Datapart2
E: Datapart
F: OS
G: DVD
I am assuming that all I need to do is repair the bootmgr so windows knows where to find the OS, but I am lost as to how.
I restarted the computer with the Server 2008 R2 DVD and clicked "Repair Your Computer". No operating system was listed so I continued on to the command prompt. Under X:\Sources I tried running bcdedit but the file was not found. I then tried x:\sources\recovery\StartR
I rebooted the server using Active@ Boot Disk and opened a command prompt. From there I was able to see all of my data including:
C: Recover
D: Datapart2
E: Datapart
F: OS
G: DVD
I am assuming that all I need to do is repair the bootmgr so windows knows where to find the OS, but I am lost as to how.
Do you have a boot on c:\
You need to both use bcdedit and bootrec to reconstruct the boot.
Is the system configured as uefi boot or bios boot? If uefi double check it points to ...
Check the perc config to make sure the disks on which the OS is marked as the boot volume.
You need to both use bcdedit and bootrec to reconstruct the boot.
Is the system configured as uefi boot or bios boot? If uefi double check it points to ...
Check the perc config to make sure the disks on which the OS is marked as the boot volume.
Hi,
If I was in your situation, I'll do this.
I believe you have full backup?
Install the os as fresh, restore the data.
If I was in your situation, I'll do this.
I believe you have full backup?
Install the os as fresh, restore the data.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Davis: What I have is a "hidden" OEMDRV which contains BCRaidInject.vbs. Is this the EFI System Partition?
Active@DiskImage had been setup to do a full Disk to Image backup which included all physical drives and partitions. When I did the restore, I did a complete Image to Disk which included all drives and partitions, keeping them the same size and location. After the restore I used the explorer contained in Active@Boot and was able to see all of the drives/files/folders but the computer wouldn't boot.
Since my original post, upon advice from Dell Pro Enterprise Support, using the Dell Lifecycle Controller I installed a fresh copy of Server 2008 R2 onto the OS partition leaving other partitions intact. The server successfully rebooted to the new OS. I could see that my original data partitions were still intact. Now that the computer was properly booting the the OS, I used Active@DiskImage to restore ONLY the OS partition. That brought me back to square 1 with a system that would not boot.
As I sit here at 1:02 PM (Eastern) I have again reinstalled a fresh copy of Server 2008 R2 and was expecting to rebuild it from scratch with AD, DNS etc...and reinstall all of my programs. I NEED to have this system up and running by this evening as the office expects a busy day tomorrow. If you can walk me through a possible solution which would save me the trouble of the rebuild, I would be grateful.
Active@DiskImage had been setup to do a full Disk to Image backup which included all physical drives and partitions. When I did the restore, I did a complete Image to Disk which included all drives and partitions, keeping them the same size and location. After the restore I used the explorer contained in Active@Boot and was able to see all of the drives/files/folders but the computer wouldn't boot.
Since my original post, upon advice from Dell Pro Enterprise Support, using the Dell Lifecycle Controller I installed a fresh copy of Server 2008 R2 onto the OS partition leaving other partitions intact. The server successfully rebooted to the new OS. I could see that my original data partitions were still intact. Now that the computer was properly booting the the OS, I used Active@DiskImage to restore ONLY the OS partition. That brought me back to square 1 with a system that would not boot.
As I sit here at 1:02 PM (Eastern) I have again reinstalled a fresh copy of Server 2008 R2 and was expecting to rebuild it from scratch with AD, DNS etc...and reinstall all of my programs. I NEED to have this system up and running by this evening as the office expects a busy day tomorrow. If you can walk me through a possible solution which would save me the trouble of the rebuild, I would be grateful.
ASKER
Under system setup Boot Mode is handled by BIOS. It further states that the two virtual drives are handled by BIOS. The H710 Configuration Utility lists the State as Optimal
Did you try running startup repair from the server 2008 installation disc after you restored the OS partition?
ASKER
YES....same results: Could not repair automatically
What does the system do, functions?
Some applications do not support imaging, unfortunately, it seems prior to the current attempts, you've not checked whether the i aging/restore work.
Are you able to reinstall the applications on the reinstalled OS, and restore from image just the data?
Bootrec/bcdedit in combination restore booting along with active bit on the first(boot drive)
The difficulty, usually the OS is on C: it will run on another, but often the /boot will be on the primary boot drive which might correspond with the volume where c:\ partition is.
How certain are you that the image is pre-ransomeware compromise?
Do you have other backup of data using Windows backup
Try restoring the other partitions from image.
Some applications do not support imaging, unfortunately, it seems prior to the current attempts, you've not checked whether the i aging/restore work.
Are you able to reinstall the applications on the reinstalled OS, and restore from image just the data?
Bootrec/bcdedit in combination restore booting along with active bit on the first(boot drive)
The difficulty, usually the OS is on C: it will run on another, but often the /boot will be on the primary boot drive which might correspond with the volume where c:\ partition is.
How certain are you that the image is pre-ransomeware compromise?
Do you have other backup of data using Windows backup
Try restoring the other partitions from image.
ASKER
I have been able to do successful Active@Disk Image restores to other Dell servers with RAID 1, but this is my first attempt with the Perc H710
What I am doing now is just as you were describing: With the reinstalled OS, I have reconfigured my features and roles and am now reinstalling my applications. I will then import my data
The ransomeware was ZEPTO. At 8:41AM and email came to the receptionist with an attachment for a voice mail. When she couldn't open it on her workstation she asked another employee to try it on her workstation. The 2nd workstation opened it 8:43AM. Every application they used since that point had scattered ZEPTO files including files they accessed from the server. All ZEPTO files had a date stamp of 8:41 and 8:43. Since it also affected files on the servers OS partition under Program Files (x86) I felt that it would be best to start with a fresh backup. The backup that I was using was from the previous night.
What I am doing now is just as you were describing: With the reinstalled OS, I have reconfigured my features and roles and am now reinstalling my applications. I will then import my data
The ransomeware was ZEPTO. At 8:41AM and email came to the receptionist with an attachment for a voice mail. When she couldn't open it on her workstation she asked another employee to try it on her workstation. The 2nd workstation opened it 8:43AM. Every application they used since that point had scattered ZEPTO files including files they accessed from the server. All ZEPTO files had a date stamp of 8:41 and 8:43. Since it also affected files on the servers OS partition under Program Files (x86) I felt that it would be best to start with a fresh backup. The backup that I was using was from the previous night.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Zepto is a derivative of Locky and encrypts:
Office/Document files (62x): .123, .602, .CSV, .dif, .DOC, .docb, .docm, .docx, .DOT, .dotm, .dotx, .hwp, .mml, .odg, .odp, .ods, .odt, .otg, .otp, .ots, .ott, .pdf, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .PPT, .pptm, .pptx, .RTF, .sldm, .sldx, .slk, .stc, .std, .sti, .stw, .sxc, .sxd, .sxi, .sxm, .sxw, .txt, .uop, .uot, .wb2, .wk1, .wks, .xlc, .xlm, .XLS, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml
Scripts/Source codes (23x):
.asm, .asp, .bat, .brd, .c, .class, .cmd, .cpp, .cs, .dch, .dip, .h, .jar, .java, .js, .pas, .php, .pl, .rb, .sch, .sh, .vb, .vbs
Media files (20x):
.3g2, .3gp, .asf, .avi, .fla, .flv, .m3u, .m4u, .mid, .mkv, .mov, .mp3, .mp4, .mpeg, .mpg, .swf, .vob, .wav, .wma, .wmv
Graphic/Image files (14x):
.bmp, .cgm, .djv, .djvu, .gif, .jpeg, .jpg, .NEF, .png, .psd, .raw, .svg, .tif, .tiff
Database files (14x):
.db, .dbf, .frm, .ibd, .ldf, .mdb, .mdf, .MYD, .MYI, .odb, .onenotec2, .sql, .SQLITE3, .SQLITEDB
Archives (11x):
.7z, .ARC, .bak, .gz, .PAQ, .rar, .tar, .bz2, .tbk, .tgz, .zip
CAD/CAM/3D files (8x):
.3dm, .3ds, .asc, .lay, .lay6, .max, .ms11, .ms11 (Security copy)
Certificates (5x):
.crt, .csr, .key, .p12, .pem
Virtual HDD (4x):
.qcow2, .vdi, .vmdk, .vmx
Data encryption (2x):
.aes, .gpg
Virtual currency (1x):
wallet.dat
But; unless folks were RDP'ing into the server with high level privileges, the files in C:\Program Files on the server should not have been affected. This makes me think that that "previous night's" backup was already infected, somehow, and may be the source of your problem.
Supposedly, Disk Image will let you inspect the contents of it's backups. Have you checked to see there is no evidence of ZEPTO in the backup you are restoring? Or, did you think of trying the night before?
Office/Document files (62x): .123, .602, .CSV, .dif, .DOC, .docb, .docm, .docx, .DOT, .dotm, .dotx, .hwp, .mml, .odg, .odp, .ods, .odt, .otg, .otp, .ots, .ott, .pdf, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .PPT, .pptm, .pptx, .RTF, .sldm, .sldx, .slk, .stc, .std, .sti, .stw, .sxc, .sxd, .sxi, .sxm, .sxw, .txt, .uop, .uot, .wb2, .wk1, .wks, .xlc, .xlm, .XLS, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml
Scripts/Source codes (23x):
.asm, .asp, .bat, .brd, .c, .class, .cmd, .cpp, .cs, .dch, .dip, .h, .jar, .java, .js, .pas, .php, .pl, .rb, .sch, .sh, .vb, .vbs
Media files (20x):
.3g2, .3gp, .asf, .avi, .fla, .flv, .m3u, .m4u, .mid, .mkv, .mov, .mp3, .mp4, .mpeg, .mpg, .swf, .vob, .wav, .wma, .wmv
Graphic/Image files (14x):
.bmp, .cgm, .djv, .djvu, .gif, .jpeg, .jpg, .NEF, .png, .psd, .raw, .svg, .tif, .tiff
Database files (14x):
.db, .dbf, .frm, .ibd, .ldf, .mdb, .mdf, .MYD, .MYI, .odb, .onenotec2, .sql, .SQLITE3, .SQLITEDB
Archives (11x):
.7z, .ARC, .bak, .gz, .PAQ, .rar, .tar, .bz2, .tbk, .tgz, .zip
CAD/CAM/3D files (8x):
.3dm, .3ds, .asc, .lay, .lay6, .max, .ms11, .ms11 (Security copy)
Certificates (5x):
.crt, .csr, .key, .p12, .pem
Virtual HDD (4x):
.qcow2, .vdi, .vmdk, .vmx
Data encryption (2x):
.aes, .gpg
Virtual currency (1x):
wallet.dat
But; unless folks were RDP'ing into the server with high level privileges, the files in C:\Program Files on the server should not have been affected. This makes me think that that "previous night's" backup was already infected, somehow, and may be the source of your problem.
Supposedly, Disk Image will let you inspect the contents of it's backups. Have you checked to see there is no evidence of ZEPTO in the backup you are restoring? Or, did you think of trying the night before?
P.S. The PERC controller, IMHO, has nothing to do with the problem unless it needs special drivers loaded, in which case, you need to load them before you try startup repair.
ASKER
There was no RPD'ing and they users are under Domain Users privileges . The particular Program Files (x86) folder was not even shared which surprised me that it was hit. The program was PowerPay which resides on the server but is integrated into practice management software.
I did explore the image file and there were no signs of ZEPTO files.
I did explore the image file and there were no signs of ZEPTO files.
ASKER
Arnold: You may be onto something there. It seems that with so many partitions being restored Windows didn't know where to go for the OS. That is where I was hoping the Startup Repair would have come in. Since I was restoring to the same hard drive configuration, I thought it would be best to do one restore with options to restore to the same location with same partition sizes. Next time (hopefully not soon) I will try a more targeted restoration.
Bottom line: After a full weekend blown, the server is up and running with a fresh OS and Applications. Good news is no data was lost.
Thanks for all of the input.
Bottom line: After a full weekend blown, the server is up and running with a fresh OS and Applications. Good news is no data was lost.
Thanks for all of the input.
ASKER
Under system recovery options I loaded the drivers for the Perc H710 and was able to find my Windows Server 2008 R2 under (H:) OS. I was then able to run x:\sources\bcdedit. It listed my Boot Manager as partition =F: and Boot Loader as partition=H:
I then ran x:\sources\recovery\StartR