-1

I dealing with a domain controller which was recently compromised. There is no valid backup to recover from.

I'm trying to join a new machine to the domain so that I can promote it and take over the FSMO roles So i can decom the compromised machine, however I cannot get the new machine to join the domain. The error its giving is 'The network path could not be found'.

I noticed that the shares on the DC cannot be accessed when using its local IP (192.168.3.251), either on the DC itself or some other machines on the network.

I can see the shares, however, if i browse to 127.0.0.1.

I have tried resetting the NIC with...

  • nbtstat -R
  • nbtstat -RR
  • netsh int reset all
  • netsh int ipv4 reset
  • netsh int ipv6 reset
  • netsh winsock reset

But that hasnt made any difference.

Any suggestions on what I can do to get the shares working again? Thanks in advance :)

John
  • 525
  • 3
  • 16
  • 32
  • What makes you think you won't replicate anything harmful to your new DC? – Esa Jokinen Nov 11 '18 at 12:15
  • valid point, but what choice do i have? I've cleaned up all of the rubbish that was on the DC and done several scans and what not, so I've minimised the risk as much as possible. Ultimately I need to get the domain back to a working state, ideally without having to fully replace the domain controller and put all the machines on a new domain – John Nov 11 '18 at 12:22
  • I'm truly sorry for what has happened. Hope you can work this out, but be mentally prepared for building a new domain from scratch. :/ – Esa Jokinen Nov 11 '18 at 12:25
  • 1
    I'm prepared for it, just trying to avoid it :) – John Nov 11 '18 at 12:27
  • Looks like you logon service or 'server' service isn't started on the source machine. – bjoster Jan 04 '19 at 15:55

1 Answers1

0

Rebuild the domain, don't try to recover anything from this DC. There is a risk that you'll spread the virus on the new DC and you might have to deal with it for decades in the worst case.

You should take a look at the following answer: How do I deal with a compromised server ?

Swisstone
  • 6,357
  • 7
  • 21
  • 32