Rebuilding SYSVOL

Melissa
Melissa used Ask the Experts™
on
I have an SBS2011 Server and have discovered the SYSVOL directory is corrupted (by cryptoware a while ago)
There are no backups to restore these files from so am considering rebuilding SYSVOL and its content.
I am considering some steps shown here: https://support.microsoft.com/en-au/help/315457/how-to-rebuild-the-sysvol-tree-and-its-content-in-a-domain
to rebuild this but wasn't sure if this was right and what the repercussions might be.
I have 8 workstations on the SBS network
Exchange used to be hosted on the Server but have recently moved to O365.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
AlexSenior Infrastructure Analyst

Commented:
Those are microsoft best practice guidelines, I think those would work on SBS2011 however they may be directed for a 2008 domain and I also think that guide is if you have more than 1DC.

Do you only have the 1 DC in your environment?
MelissaSystems Analyst

Author

Commented:
Yes only only 1 DC. I'm trying to see if there's a way i can decrypt the infected files but think a rebuild is the way to go.
AlexSenior Infrastructure Analyst

Commented:
If you have no backups then yes, a rebuild it is.

Do you happen to have AD in the cloud, you can probably build a new box and then replicate from the cloud back to your on premise DC.

Regards
Alex
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

MelissaSystems Analyst

Author

Commented:
No AD in the cloud, no backups from around that time.
MaheshArchitect
Distinguished Expert 2018
Commented:
If you don't have backup, you can follow below article

https://www.experts-exchange.com/articles/33363/Active-Directory-System-State-Recovery-with-Sysvol-Authoritative-Restore-Authsysvol-switch-Explained.html

Refer step 11 under dfsr sysvol restore

The steps remains same even if you have frs sysvol

Note that you only need to follow steps in point 11
Scott SilvaNetwork Administrator

Commented:
You can try here to see if your variant of ransomware has a decryptor available...
https://id-ransomware.malwarehunterteam.com/
Philip ElderTechnical Architect - HA/Compute/Storage

Commented:
If you have access to the SBS 2011 Standard install DVD or a .ISO file then:
 1: If DVD use a freebie utility to generate a .ISO file
 2: Set up a VM on your favourite hypervisor
 3: Mount the .ISO
 4: Install SBS 2011 Standard
 5: Set up identically to the existing domain
 
Once the above is done, the SYSVOL will be in the default SBS state. Copy those files over.

For obvious reasons please make sure to take a System State backup of the existing SBS prior to making any changes.
MelissaSystems Analyst

Author

Commented:
Hi Philip, not sure if this would work due to UID conflicts?
Philip ElderTechnical Architect - HA/Compute/Storage

Commented:
Checking ....
MelissaSystems Analyst

Author

Commented:
In running through the steps on this article: https://www.experts-exchange.com/articles/33363/Active-Directory-System-State-Recovery-with-Sysvol-Authoritative-Restore-Authsysvol-switch-Explained.html

When i query "wbadmin get versions", it states a backup was done to a workstation in 2011 that no longer exists (not sure how that was done)

My question is now:  can i perform an authoritive restore of DS if i don't have a backup?
Architect
Distinguished Expert 2018
Commented:
If Sysvol and netlogon contents (folder structure and GPOs) are lost, article won't be able to get those back

After following step 11 as mentioned in earlier comment, you will get back plain Sysvol and netlogon shares.

Check "net share" from command line if Sysvol and netlogon shares are available

Now you need to restore default GPOs (Default domain policy and default domain controller policy) with DCGPOFIX
Note that without following step11 you won't be able to restore default GPOs. Prerequisites for DCGPOFIX is Shared Sysvol and netlogon shares

To restore default GPOs through GPOFIX - (note that you will lose any custom settings you made with these GPOs)
From elevated cmd run below command on DC
dcgpofix /ignoreschema /target:both

Open in new window


https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dcgpofix
Philip ElderTechnical Architect - HA/Compute/Storage

Commented:
The SBS GPOs can be copied from a known good SBS without issue.

The SBS SYSVOL structure should be in place prior.

The Default Domain Policy and the Default Domain Controllers Policy can also be reset to defaults:
dcgpofix /ignoreschema /target:Both

Open in new window

Reboot.

Run the Journal Wrap fix steps to get SYSVOL going again if it fails to be published.

E-E post of backing up and restoring GPOs that we've used to copy to other DCs on different domains.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial