This is a good point, but since the server will be reformatted or otherwise
murdered, it is a simple procedure to seize the roles on the other DC. I do
agree that it's really something that should be done beforehand, however.
Laura
> -----Original Message-----
> From: Thomas Cameron [mailto:ThomasC (at) mip (dot) com [email concealed]]
> Sent: Friday, January 24, 2003 10:40 AM
> To: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: RE: w2k server compromised
>
>
> Don't forget to transfer the FSMO roles to the new server!
> You can shoot yourself in the foot if you just power off the
> old DC without transferring the FSMO roles.
>
> http://www.microsoft.com/technet/treeview/default.asp?url=/tec
> hnet/prodtechn
> ol/windows2000serv/reskit/distsys/part1/dsgch07.asp
>
> Thomas Cameron, RHCE, CNE, MCSE, MCT
> Best Software
>
> -----Original Message-----
> From: james (at) leafgrove (dot) com [email concealed] [mailto:james (at) leafgrove (dot) com [email concealed]]
> Sent: Thursday, January 23, 2003 4:08 PM
> To: 'Dan Uscatu'; focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: RE: w2k server compromised
>
>
> Dan
>
> Regardless of the security implications and reasons of having
> an apparently compromised DC you can use the following
> procedure to get you AD databases
> copied:
>
> Build new W2k server box
> Harden new server
> Use DCPROMO to make it a DC in the current domain/forest
> Await replication to complete, check by directing AD Users
> and computers at the new server. Check your login scripts and
> policies have also come across by looking in SYSVOL DCPROMO
> old server to remove DC functionality Power off old server
> Remove entries in sites and services relating to the the old
> server if still there Remove old server computer account
> Rebuild old server Harden old server DCPROMO old server to
> make it a DC in the current domain/forest Await replication
> to complete, check by directing AD Users and computers at the
> old server. Check your login scripts and policies have also
> come across by looking in SYSVOL DCPROMO new server to remove
> DC functionality Power off new server Remove entries in sites
> and services relating to the the new server if still there
> Remove new server computer account Done
>
> Good luck and don't forget to check the rest of your LAN for
> pesky malware Of course if the compromise is AD aware you may
> not be able to get rid it this way, but that is pretty
> unlikely. Anyone else comment??
>
> Cheers
>
> JamesD
>
> -----Original Message-----
> From: Dan Uscatu [mailto:duscatu (at) lunatech (dot) ro [email concealed]]
> Sent: 23 January 2003 08:17
> To: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: w2k server compromised
>
>
> hey all
>
> i just found one of the w2k servers to be infected and acting
> very strangely. unfortunately it is a domain controller and
> it has all the users/computers lists.
>
> how can i export these before reinstall in order to keep the
> exact same configuration (everything except passwords of
> course) ? i suppose this could be usefull to be done on a
> regular basis too...
>
> TIA
>
>
>
> For the protection of our internal systems and those of our
> customers, MIP/Best Software blocks most email attachments.
> Please use plain text when corresponding via email with
> MIP/Best Software.
>
>
murdered, it is a simple procedure to seize the roles on the other DC. I do
agree that it's really something that should be done beforehand, however.
Laura
> -----Original Message-----
> From: Thomas Cameron [mailto:ThomasC (at) mip (dot) com [email concealed]]
> Sent: Friday, January 24, 2003 10:40 AM
> To: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: RE: w2k server compromised
>
>
> Don't forget to transfer the FSMO roles to the new server!
> You can shoot yourself in the foot if you just power off the
> old DC without transferring the FSMO roles.
>
> http://www.microsoft.com/technet/treeview/default.asp?url=/tec
> hnet/prodtechn
> ol/windows2000serv/reskit/distsys/part1/dsgch07.asp
>
> Thomas Cameron, RHCE, CNE, MCSE, MCT
> Best Software
>
> -----Original Message-----
> From: james (at) leafgrove (dot) com [email concealed] [mailto:james (at) leafgrove (dot) com [email concealed]]
> Sent: Thursday, January 23, 2003 4:08 PM
> To: 'Dan Uscatu'; focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: RE: w2k server compromised
>
>
> Dan
>
> Regardless of the security implications and reasons of having
> an apparently compromised DC you can use the following
> procedure to get you AD databases
> copied:
>
> Build new W2k server box
> Harden new server
> Use DCPROMO to make it a DC in the current domain/forest
> Await replication to complete, check by directing AD Users
> and computers at the new server. Check your login scripts and
> policies have also come across by looking in SYSVOL DCPROMO
> old server to remove DC functionality Power off old server
> Remove entries in sites and services relating to the the old
> server if still there Remove old server computer account
> Rebuild old server Harden old server DCPROMO old server to
> make it a DC in the current domain/forest Await replication
> to complete, check by directing AD Users and computers at the
> old server. Check your login scripts and policies have also
> come across by looking in SYSVOL DCPROMO new server to remove
> DC functionality Power off new server Remove entries in sites
> and services relating to the the new server if still there
> Remove new server computer account Done
>
> Good luck and don't forget to check the rest of your LAN for
> pesky malware Of course if the compromise is AD aware you may
> not be able to get rid it this way, but that is pretty
> unlikely. Anyone else comment??
>
> Cheers
>
> JamesD
>
> -----Original Message-----
> From: Dan Uscatu [mailto:duscatu (at) lunatech (dot) ro [email concealed]]
> Sent: 23 January 2003 08:17
> To: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: w2k server compromised
>
>
> hey all
>
> i just found one of the w2k servers to be infected and acting
> very strangely. unfortunately it is a domain controller and
> it has all the users/computers lists.
>
> how can i export these before reinstall in order to keep the
> exact same configuration (everything except passwords of
> course) ? i suppose this could be usefull to be done on a
> regular basis too...
>
> TIA
>
>
>
> For the protection of our internal systems and those of our
> customers, MIP/Best Software blocks most email attachments.
> Please use plain text when corresponding via email with
> MIP/Best Software.
>
>
[ reply ]