Rebuilding SYSVOL
I have an SBS2011 Server and have discovered the SYSVOL directory is corrupted (by cryptoware a while ago)
There are no backups to restore these files from so am considering rebuilding SYSVOL and its content.
I am considering some steps shown here: https://support.microsoft.com/en-au/help/315457/how-to-rebuild-the-sysvol-tree-and-its-content-in-a-domain
to rebuild this but wasn't sure if this was right and what the repercussions might be.
I have 8 workstations on the SBS network
Exchange used to be hosted on the Server but have recently moved to O365.
There are no backups to restore these files from so am considering rebuilding SYSVOL and its content.
I am considering some steps shown here: https://support.microsoft.com/en-au/help/315457/how-to-rebuild-the-sysvol-tree-and-its-content-in-a-domain
to rebuild this but wasn't sure if this was right and what the repercussions might be.
I have 8 workstations on the SBS network
Exchange used to be hosted on the Server but have recently moved to O365.
ASKER
Yes only only 1 DC. I'm trying to see if there's a way i can decrypt the infected files but think a rebuild is the way to go.
If you have no backups then yes, a rebuild it is.
Do you happen to have AD in the cloud, you can probably build a new box and then replicate from the cloud back to your on premise DC.
Regards
Alex
Do you happen to have AD in the cloud, you can probably build a new box and then replicate from the cloud back to your on premise DC.
Regards
Alex
ASKER
No AD in the cloud, no backups from around that time.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You can try here to see if your variant of ransomware has a decryptor available...
https://id-ransomware.malwarehunterteam.com/
https://id-ransomware.malwarehunterteam.com/
If you have access to the SBS 2011 Standard install DVD or a .ISO file then:
1: If DVD use a freebie utility to generate a .ISO file
2: Set up a VM on your favourite hypervisor
3: Mount the .ISO
4: Install SBS 2011 Standard
5: Set up identically to the existing domain
Once the above is done, the SYSVOL will be in the default SBS state. Copy those files over.
For obvious reasons please make sure to take a System State backup of the existing SBS prior to making any changes.
1: If DVD use a freebie utility to generate a .ISO file
2: Set up a VM on your favourite hypervisor
3: Mount the .ISO
4: Install SBS 2011 Standard
5: Set up identically to the existing domain
Once the above is done, the SYSVOL will be in the default SBS state. Copy those files over.
For obvious reasons please make sure to take a System State backup of the existing SBS prior to making any changes.
ASKER
Hi Philip, not sure if this would work due to UID conflicts?
Checking ....
ASKER
In running through the steps on this article: https://www.experts-exchange.com/articles/33363/Active-Directory-System-State-Recovery-with-Sysvol-Authoritative-Restore-Authsysvol-switch-Explained.html
When i query "wbadmin get versions", it states a backup was done to a workstation in 2011 that no longer exists (not sure how that was done)
My question is now: can i perform an authoritive restore of DS if i don't have a backup?
When i query "wbadmin get versions", it states a backup was done to a workstation in 2011 that no longer exists (not sure how that was done)
My question is now: can i perform an authoritive restore of DS if i don't have a backup?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The SBS GPOs can be copied from a known good SBS without issue.
The SBS SYSVOL structure should be in place prior.
The Default Domain Policy and the Default Domain Controllers Policy can also be reset to defaults:
Run the Journal Wrap fix steps to get SYSVOL going again if it fails to be published.
E-E post of backing up and restoring GPOs that we've used to copy to other DCs on different domains.
The SBS SYSVOL structure should be in place prior.
The Default Domain Policy and the Default Domain Controllers Policy can also be reset to defaults:
dcgpofix /ignoreschema /target:BothRun the Journal Wrap fix steps to get SYSVOL going again if it fails to be published.
E-E post of backing up and restoring GPOs that we've used to copy to other DCs on different domains.
Do you only have the 1 DC in your environment?