2

Our primary domain controller, a Server 2003 R2 X64 machine, apparently had a virus for about four hours. (Why/how is a different question and witch hunt for later. The virus has been cleaned.) In that time it seems that the computer browser service and Windows firewall service were damaged.

When you try to start either service, you get "Error 1060: The specified service doesn't exist as an installed service". The Server and Workstation services are up and running. No other services appear to have been affected, but I could be wrong.

I have checked the registry settings for the computer browser and they are all correct, including MaintainServerList and IsDomainMaster. I even imported a set of correct registry settings from another machine.

We have a backup domain controller, but it is old and creaky. Our system backups turned out to be rotten back through four months, so restoring the system information would be questionable since the info would be from April.

Any advice on how to fix the broken services would be most appreciated.

Also, my security sense is tingling about just rebuilding the server since it IS the PDC and it WAS compromised, however briefly. My "OMG what a pain in the ass" sense does not want to go through that, though. If I can fix it, should I fix it or go through redoing the server?

MDMarra
  • 100,183
  • 32
  • 195
  • 326
user130984
  • 23
  • 4
  • 1
    It's a *Domain Controller*, not a *PDC*. The notion of primary/backup domain controllers went out the window with the introduction of Active Directory in Windows 2k. – EEAA Aug 04 '12 at 21:01
  • I guess there aren't any more NT4 machines on the network, so I stand corrected. – user130984 Aug 04 '12 at 21:29
  • Even if there were, it still wouldn't be a PDC. You'd need to have NT4 DCs to have a PDC, not member servers. – MDMarra Aug 05 '12 at 00:45
  • Nuke it, nuke it from orbit. Promoting a new DC is going to be many times less of a pain in the ass than trying to undo the damage. Like both MDMarra and joeqwerty have said, it's really not that hard. – HopelessN00b Aug 05 '12 at 03:49

2 Answers2

6

There are no PDCs and BDCs anymore. They are peers. You might want to read this Q & A written by yours truly to get a better understanding of how this all works. It will help you in recovering from this problem.

Make sure your second DC holds a copy of the global catalog. Transfer all FSMO roles to it. Demote the infected DC, format the hard drive, reinstall the OS, and promote it back to being a Domain Controller.

Community
  • 1
MDMarra
  • 100,183
  • 32
  • 195
  • 326
  • I figured nuking it from orbit would be the best option. Not looking forward to moving the WSUS, AV and backup servers from there, too. I'll just look at it as a chance to move all those roles to virtual machines a year ahead of schedule. – user130984 Aug 05 '12 at 04:01
  • WSUS doesn't need to be moved, per se. Just do a clean install. It only takes like 5 minutes. – MDMarra Aug 05 '12 at 12:01
1

As critical as a DC is to AD, it's one of the easiest roles to replace should it fail. As long as AD and DNS are intact and operational on another DC then my suggestion would be to wipe the affected server, remove it from AD using NTDSUTIL, remove it from DNS and reinstall the OS and the AD and DNS roles.

Make sure the remaining DC is also a GC and make sure to transfer all FSMO roles to it beforehand. If you can manage to run DCPROMO on the affected server, DCPROMO will gracefully and cleanly transfer the FSMO roles to the remaining server and will remove the affected server from AD and DNS.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171