New Domain Controller

Question, I need to reinstall the OS on a Domain Controller Server in a small office. My question is if I name the server the same and give it the same ip. Will the pc's that are already joined to the domain just recognize it as the DC for AD?
Ross MaddoxIT DirectorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
No they will need to be rejoined to AD completely, why dont you take an AD backup and then restore this at a later point?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
Take the pressure of yourself by getting an image of the server using Acronis True Image, buy it if needs be.
Then take a backup of AD and restore it at a later point.
0
Ross MaddoxIT DirectorAuthor Commented:
How do I take an AD backup on server 2016 essentials and how do I restore?
1
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

MAS (MVE)EE Solution Guide - Technical Dept HeadCommented:
-->my question is if I name the server the same and give it the same ip. Will the pc's that are already joined to the domain just recognize it as the DC for AD?
You cannot rename the server till you demote the server.
0
Ross MaddoxIT DirectorAuthor Commented:
I dont want an image the server has a virus on it and want a fresh install.
0
Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
If this is your only domain controller you are going to lose a lot of data formatting it and not backing it up if it is your only DC.
Feel free to contact me on live https://www.experts-exchange.com/live/ I can help here.

I am also looking for documentation for you now on doing an AD backup.

Can you post output of DCDIAG please?
0
Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
What kind of Virus does it have? this is my specialist area, sometimes with viruses we do not need to format it is virus dependent.
The image of the server also contains all your AD data which is untouched by the virus.
0
MAS (MVE)EE Solution Guide - Technical Dept HeadCommented:
Please install a new Windows
Promote server to domain controller
Move FSMO roles from old server to new server that is to become FSMO holder.
Move your files to the new server.
Demote the old server and format.
0
Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
RE a backup look at this http://www.tomsitpro.com/articles/back-up-windows-server-2016-domain-controller,1-3423.html good explanation and instructions.
0
Ross MaddoxIT DirectorAuthor Commented:
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Users\CFMIT>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = DG-PHY
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\DG-PHY
      Starting test: Connectivity
         ......................... DG-PHY passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\DG-PHY
      Starting test: Advertising
         ......................... DG-PHY passed test Advertising
      Starting test: FrsEvent
         ......................... DG-PHY passed test FrsEvent
      Starting test: DFSREvent
         There are warning or error events within the last 24 hours after the SYSVOL has been shared.  Failing SYSVOL
         replication problems may cause Group Policy problems.
         ......................... DG-PHY passed test DFSREvent
      Starting test: SysVolCheck
         ......................... DG-PHY passed test SysVolCheck
      Starting test: KccEvent
         ......................... DG-PHY passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... DG-PHY passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... DG-PHY passed test MachineAccount
      Starting test: NCSecDesc
         ......................... DG-PHY passed test NCSecDesc
      Starting test: NetLogons
         [DG-PHY] User credentials does not have permission to perform this operation.
         The account used for this test must have network logon privileges
         for this machine's domain.
         ......................... DG-PHY failed test NetLogons
      Starting test: ObjectsReplicated
         ......................... DG-PHY passed test ObjectsReplicated
      Starting test: Replications
         [Replications Check,DG-PHY] DsReplicaGetInfo(PENDING_OPS, NULL) failed, error 0x2105
         "Replication access was denied."
         ......................... DG-PHY failed test Replications
      Starting test: RidManager
         ......................... DG-PHY passed test RidManager
      Starting test: Services
            Could not open NTDS Service on DG-PHY, error 0x5 "Access is denied."
         ......................... DG-PHY failed test Services
      Starting test: SystemLog
         An error event occurred.  EventID: 0x00002720
            Time Generated: 02/15/2018   09:13:57
            Event String:
            The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
         A warning event occurred.  EventID: 0x80000434
            Time Generated: 02/15/2018   09:14:22
            Event String:
            The reason supplied by user DIAMONDGLASS\CFMIT for the last unexpected shutdown of this computer is: Other (Unplanned)
         An error event occurred.  EventID: 0x00002720
            Time Generated: 02/15/2018   09:16:46
            Event String:
            The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
         An error event occurred.  EventID: 0x00002720
            Time Generated: 02/15/2018   09:18:38
            Event String:
            The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
         An error event occurred.  EventID: 0x00002720
            Time Generated: 02/15/2018   09:18:52
            Event String:
            The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
         An error event occurred.  EventID: 0x00002720
            Time Generated: 02/15/2018   09:19:06
            Event String:
            The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
         An error event occurred.  EventID: 0x00002720
            Time Generated: 02/15/2018   09:19:34
            Event String:
            The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
         An error event occurred.  EventID: 0x00002720
            Time Generated: 02/15/2018   09:20:46
            Event String:
            The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
         An error event occurred.  EventID: 0x00002720
            Time Generated: 02/15/2018   09:24:20
            Event String:
            The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
         An error event occurred.  EventID: 0x00002720
            Time Generated: 02/15/2018   09:24:27
            Event String:
            The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
         An error event occurred.  EventID: 0x00002720
            Time Generated: 02/15/2018   09:24:37
            Event String:
            The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
         An error event occurred.  EventID: 0x00002720
            Time Generated: 02/15/2018   09:27:20
            Event String:
            The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
         A warning event occurred.  EventID: 0x00001695
            Time Generated: 02/15/2018   09:27:36
            Event String:
            Dynamic registration or deletion of one or more DNS records associated with DNS domain 'DIAMONDGLASS.local.' failed.  These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).
         ......................... DG-PHY failed test SystemLog
      Starting test: VerifyReferences
         ......................... DG-PHY passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : DIAMONDGLASS
      Starting test: CheckSDRefDom
         ......................... DIAMONDGLASS passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DIAMONDGLASS passed test CrossRefValidation

   Running enterprise tests on : DIAMONDGLASS.local
      Starting test: LocatorCheck
         ......................... DIAMONDGLASS.local passed test LocatorCheck
      Starting test: Intersite
         ......................... DIAMONDGLASS.local passed test Intersite

C:\Users\CFMIT>
0
Ross MaddoxIT DirectorAuthor Commented:
I only have one server at this office. running DC, DNS, DHCP File/print
0
Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
RE the virus reboot the server into safe mode with networking, install ESET Online Scanner this is downloadable and free and is a one time install free product. Do a full scan.

Also look at getting Trend Micro Hi Jack this installed, get a output from it and post it on here for me to see.
0
Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
I get the setup you have, you need to run that DCDIAG command as an administrator. Also take a backup of AD before doing anything would be my first move. Possibly an image too.
0
Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
Find out how the machine is infected first before doing anything would be my lead, most viruses are not cryptowall4 and are removable. Its also not a bad idea to have a look at bleepingcomputer.com they will have a thread and removal steps for the virus you have.
0
Ross MaddoxIT DirectorAuthor Commented:
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = DG-PHY
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\DG-PHY
      Starting test: Connectivity
         ......................... DG-PHY passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\DG-PHY
      Starting test: Advertising
         ......................... DG-PHY passed test Advertising
      Starting test: FrsEvent
         ......................... DG-PHY passed test FrsEvent
      Starting test: DFSREvent
         There are warning or error events within the last 24 hours after the SYSVOL has been shared.  Failing SYSVOL
         replication problems may cause Group Policy problems.
         ......................... DG-PHY passed test DFSREvent
      Starting test: SysVolCheck
         ......................... DG-PHY passed test SysVolCheck
      Starting test: KccEvent
         ......................... DG-PHY passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... DG-PHY passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... DG-PHY passed test MachineAccount
      Starting test: NCSecDesc
         ......................... DG-PHY passed test NCSecDesc
      Starting test: NetLogons
         ......................... DG-PHY passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... DG-PHY passed test ObjectsReplicated
      Starting test: Replications
         ......................... DG-PHY passed test Replications
      Starting test: RidManager
         ......................... DG-PHY passed test RidManager
      Starting test: Services
         ......................... DG-PHY passed test Services
      Starting test: SystemLog
         An error event occurred.  EventID: 0x00002720
            Time Generated: 02/15/2018   09:16:46
            Event String:
            The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
         An error event occurred.  EventID: 0x00002720
            Time Generated: 02/15/2018   09:18:38
            Event String:
            The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
         An error event occurred.  EventID: 0x00002720
            Time Generated: 02/15/2018   09:18:52
            Event String:
            The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
         An error event occurred.  EventID: 0x00002720
            Time Generated: 02/15/2018   09:19:06
            Event String:
            The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
         An error event occurred.  EventID: 0x00002720
            Time Generated: 02/15/2018   09:19:34
            Event String:
            The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
         An error event occurred.  EventID: 0x00002720
            Time Generated: 02/15/2018   09:20:46
            Event String:
            The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
         An error event occurred.  EventID: 0x00002720
            Time Generated: 02/15/2018   09:24:20
            Event String:
            The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
         An error event occurred.  EventID: 0x00002720
            Time Generated: 02/15/2018   09:24:27
            Event String:
            The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
         An error event occurred.  EventID: 0x00002720
            Time Generated: 02/15/2018   09:24:37
            Event String:
            The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
         An error event occurred.  EventID: 0x00002720
            Time Generated: 02/15/2018   09:27:20
            Event String:
            The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
         A warning event occurred.  EventID: 0x00001695
            Time Generated: 02/15/2018   09:27:36
            Event String:
            Dynamic registration or deletion of one or more DNS records associated with DNS domain 'DIAMONDGLASS.local.' failed.  These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).
         ......................... DG-PHY failed test SystemLog
      Starting test: VerifyReferences
         ......................... DG-PHY passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : DIAMONDGLASS
      Starting test: CheckSDRefDom
         ......................... DIAMONDGLASS passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DIAMONDGLASS passed test CrossRefValidation

   Running enterprise tests on : DIAMONDGLASS.local
      Starting test: LocatorCheck
         ......................... DIAMONDGLASS.local passed test LocatorCheck
      Starting test: Intersite
         ......................... DIAMONDGLASS.local passed test Intersite

C:\Windows\system32>
0
Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
I think formatting a box without having any idea what is on it is a bad move, reality is ESET scanner could just clean that box just like that.
You also need to know what is on it as you need to know how this happened, I had to spend weeks once tracking down how we got a virus once.

AD looks healthy
Back it up using the link I sent. That covers us here. If you really want to be safe use Acronis.
Restart into safe mode with networking and use that ESET scanner. Then we will know what is on it, and most likely where it came from.
I would then re evaluate it from here.

MAS solution also works but I feel this is better, MAS is very reputable expert in fairness.

** Update I do prefer a true image backup as that will backup literally everything on that server through a raid array even if it is a physical box. I would also look at creating backups of anything else this server is doing. I am just a bit wary of it hosting some critical data we do not know about here.
0
Ross MaddoxIT DirectorAuthor Commented:
0
Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
What does the ESET Scanner say? more interested in that at first.

Why do you think this has a virus? what are the symptoms?
0
Ross MaddoxIT DirectorAuthor Commented:
The server disk runs at 100% and random reboots. Malware bytes found payday ransomeware and removed but the problems persist.
0
Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
Ok fine well we may need to get rid, I am going to start looking at that variant now to help.
Will post back on that in a bit .

Load your hijack this log into this site https://www.hijackthis.de/
I just did that now. Inconclusive for now but definitely seeing some weird things.

I really would not do anything with it until I had the results of that ESET Scanner, if it fails to find anything run Malware Bytes in Safe mode with networking also.

These viruses often corrupt backups taken locally by design so using an Acronis image of the server may be helpful here.
0
Ross MaddoxIT DirectorAuthor Commented:
I am scanning now, and looking into Acronis.
0
Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
Check this out for removal steps for the virus https://malwaretips.com/blogs/remove-btcware-payday-ransomware/

 Check this out for info on that Virus it is definitely doing the rounds in the last week. https://www.bleepingcomputer.com/news/security/new-payday-btcware-ransomware-variant-released/

Likely way of infection is Microsoft Word Intruder and Macro in a word file, after this I would look at making sure your whole network is up to date with Windows Updates.

Also interested to see the results of the ESET scanner.

From here we need to decide to either
1) Clean virus and see how it goes from here
2) Bring in a brand new server

Personally before doing anything here I would get a solid backup of that server, maybe use Disk2VHD by microsoft which is free or VMware P2V this will make a virtual copy of the server in the event of an emergency.

I would try to clean it + windows updates, and go through the machines on your network to look for other this infection.
Using Eset online scanner and malware bytes as a bench mark sounds fine.
0
Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
Acronis is a good move for us here, just buy it for 1 server off them costs a few hundred bucks. Shut the server down and back it up from the boot disk. Then you are free to make your moves here worry free.
0
Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
This is just my take on the whole formatting boxes thing also.
If a virus is reported in a company which can cause damage like this one and the IT department "do not know" what happened and just went around throwing out new servers it is not a good idea, it also calls into question the integrity of the knowledge in the department and will cause worries outside of IT.

I think we need a root cause analysis here.
Then a safe plan to remove.

Whatever option you choose good luck. I am here to help if needs be and hope to resolve this one.
0
Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
Also Ross try looking into why the drive is full, not sure why a virus would do that. use Tree Size Free to get a good detailed grid view of what is taking up your space. Thanks for the follow.
0
arnoldCommented:
Wbadmin is the backup tool, systemstate backup .

A backup may be ....

Look at using ldif/cdr to export your AD data to avoid bringing the birds which potentially be in sysvol....


The issue may have exposed others, presumably the server itself was not being used and is a secondary exposure.


Prior comments addressed the need to create an AD following a new install and to have the systems rejoined after each is checked, potentially .....

Implementing a backup that backs up the data in a regular basis that could limit data loss.

Regular system state backup, deals with Ad, sysvol, netlogon, GPO .......

NS has a process following os install, how to restore the AD from backup when there is one DC in the environment.
0
Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
Problem with sys states and in OS backups are that these viruses often rip them apart in their programming. That is why I suggested an offline pre boot Acronis backup. Yes regular backups are needed here. For the size of this business Acronis would be the solution.

Following this one closely now. Good luck guys.
0
Seth SimmonsSr. Systems AdministratorCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Accept: Mark Bill (https:#a42470264)

If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

seth2740
Experts-Exchange Cleanup Volunteer
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2016

From novice to tech pro — start learning today.