SYSVOL & NETLOGON Corrupted after ransomware and original DC corrupted - Need Assitance with recovery order

You can't simply repair the shares. If something was able to get write access to the domain controller, which is the only way ransomware could corrupt those shares, and you had no pre-compromised backup, the domain is toast. You are rebuilding the domain from scratch, not just repairing the shares.

As far as I can tell, the only thing that was affected was the NETLOGON and SYSVOL files.

Can you be a bit more specific about why you think the whole domain is toast?  

Is it just a loop I am in that I can't fix a missing DC with broken shares and I can't fix the broken FRS shares with the missing DC?  

Thanks,
Fred

Sysvol is how DCs replicate. So corruption in sysvol basically is a corrupted domain.

But more importantly, the only way to corrupt them is to have write access on a domain controller. Which means other things could also have been written...and replicated.

There is a reason why domain controllers are considered high priority for protection, are high priority targets, and why domain admin credentials should be given sparingly, used even more sparingly, and why so much effort is out into hardening those systems.

And why backups are important.

None of that seems to have happened here, and yes that means rebuilding.

It is kind of like slamming a car into a tree at 120mph and then asking how to fix a scratch on the rear passenger door.  The car is still totalled.

Also, to be clear, an old DC had it's files encrypted.  A new DC received SYSVOL and NETLOGON files during replication.  There are no other encrypted files anywhere on the new DC other than SYSVOL and NETLOGON.

But sysvol is where the entire AD database lives. So when you say they "only are corrupt, that is still a corruption of everything that makes a DC what it is. So...yeah, your domain is toast.

My question still stands then:  

Should I attempt an authoritative restore via the BurFlags method before manually removing the old DC or the other way around?

Neither.  Burflags are used to address a very specific scenario where replication is broken. What you described is not broken replication. The data got corrupted, but that corrupted data replicated just fine. So the order you do things won't make a difference. Without a backup, you have no good copies of the data to restore.

Please review the contents of this request.   It seems to have worked for this person:
https://www.experts-exchange.com/questions/29002511/SYSVOL-corrupted.html

remove the old compromised domain controller from the network. seize (ntdsutils) the roles and go through the process of setting up sysvol/netlogon.
Note you either do it right now, or go through this process as you intend and repeat this process down the line when as Cliff on three separate occasions pointed out that your Entire AD might be completely compromised i.e. the DC you think is not compromised might be, but has not shown any manifestation of that issue yet.

I suppose the alternative is to remove AD and reinstall, re-add users and un-join / re-join all workstations to the domain.

Going forward there will be only one DC and they use almost no GPO's so ...  it might be worth it to try the fix first, then do the full Domain rebuild if need be.   I really don't think the ransomware is on the DC.  It was clearly on the old server and hit others just via Shares.

In the case of this client, the backup repository was encrypted as well do to a forgotten mapped drive.

sysvol/netlogon hit means the account compromised by ransomware was administrative.
Hey, its your decision and your time spent.

if you've not backed up the documents from the shares, as of yet, you should do that first thing and make sure that data does not contain the virus/worm/compromised download.............

another post here had the use of csvde to export the user accounts ...........

" I really don't think the ransomware is on the DC.  It was clearly on the old server and hit others just via Shares."

It was on a machine with DOMAIN ADMIN credentials. It could not have corrupted the shares on other machines without them. Once it had the credentials, it could inject code whenever and however it wanted.

But that is all still besides the point. The procedure you want to do simply doesn't apply to your situation. To use another analogy, you have a broken leg and are asking the doctor to perform heart surgery to fix it. That just isn't how things work.

You've now has a second expert confirm what I've suggested. Why ask experts for help of you want to argue and ignore their advice?  It isn't my infrastructure so...frankly...do as you please. It doesn't bother me any which way, except for the time i feel I wasted trying to help. But think long and hard why you came here in the first place. Because it doesn't seem like you've thought that through.

If you have any data available for the SYSVOL you might be able to recover using this process
https://www.experts-exchange.com/articles/29522/How-to-restore-Active-Directory-Group-Policy-with-only-SYSVOL-data.html

Cliff, I think you reversed your analogy. I.e. person diagnosed with a serious condition, but wants a remedy of a mundane condition.

 As you noted, once an administrative account is compromised, the reliability of the workstation existing condition might also be in doubt...

at times people seek to have their approach reaffirmed while knowing full well what the right approach is.

OK, OK, I get it ;)  The best thing to do is to be sure nothing carries over.   I will recreate the Domain.  

I am still curious about the user in this case who said the "restore from scratch" option worked after all data encrypted.  https://www.experts-exchange.com/questions/29002511/SYSVOL-corrupted.html

I've sent them an inquiry.

Thanks,
Fred

There is a fundamental difference between your situation and theirs. Right in their question, they said they restored from a backup. So they ONLY had to fix replication.

From your question:  "without a good restore option available."

If you had a known good backup, my advice would be different.  But by your own admission, you don't. And that is also why a replication repair option was possible in their case and not in yours.

Thanks all for your comments and thanks for the clarification @Learnctx!

FYI, a forgotten mapped drive to the backup repository containing all the server image backups, which had been current, was encrypted along with the server.  So backups were good.  Mapped drives are BAD.  Many steps have been taken to secure the backup target and add redundancy to the backups since this happened.  So yes, self flagellation continues ;)  

Believe it or not, I actually did want an answer to my original question.  Perhaps I should have opened it with "I know the best solution is... but I still want to know, given my situation".   The easy "answer" is to plow everything under.  For now, I will settle for backups that update versions every three hours, onsite and offsite.

The question was:   Should I remove the old DC first, or "fix" the SYSVOL problems first.

The DC is functional enough at the moment.  I would appreciate some pointers from someone experienced in the black art of repairing the SYSVOL.   I have removed tomb-stoned DC's enough times that I am comfortable with it, but I wonder if the SYSVOL should be fixed first.

what do you mean repair. you need the default domain controller and default domain policy to regenerate?
the GPO's should exist in the AD and copied out to the SYSVOL.
https://social.technet.microsoft.com/Forums/windows/en-US/95daaa73-5916-4711-8c57-fa130fe87418/gpotoolexe-in-windows-2012-r2?forum=winserver8gen
https://technet.microsoft.com/en-us/library/hh875588(v=ws.11).aspx

Use of terminology makes it unclear what you mean?
The data encrypted, the structure remains. i.e. the shares are available.

No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Split:
-- Learnctx (https:#a42272102)
-- Cliff Galiher (https:#a42273510)


If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

Pber
Experts-Exchange Cleanup Volunteer