OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Thomas Cameron (ThomasC_at_mip.com)
Date: Fri Jan 24 2003 - 09:40:18 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Don't forget to transfer the FSMO roles to the new server! You can shoot
    yourself in the foot if you just power off the old DC without transferring
    the FSMO roles.

    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
    ol/windows2000serv/reskit/distsys/part1/dsgch07.asp

    Thomas Cameron, RHCE, CNE, MCSE, MCT
    Best Software

    -----Original Message-----
    From: jamesleafgrove.com [mailto:jamesleafgrove.com]
    Sent: Thursday, January 23, 2003 4:08 PM
    To: 'Dan Uscatu'; focus-mssecurityfocus.com
    Subject: RE: w2k server compromised

    Dan

    Regardless of the security implications and reasons of having an apparently
    compromised DC you can use the following procedure to get you AD databases
    copied:

    Build new W2k server box
    Harden new server
    Use DCPROMO to make it a DC in the current domain/forest
    Await replication to complete, check by directing AD Users and computers at
    the new server. Check your login scripts and policies have also come across
    by looking in SYSVOL DCPROMO old server to remove DC functionality Power off
    old server Remove entries in sites and services relating to the the old
    server if still there Remove old server computer account Rebuild old server
    Harden old server DCPROMO old server to make it a DC in the current
    domain/forest Await replication to complete, check by directing AD Users and
    computers at the old server. Check your login scripts and policies have also
    come across by looking in SYSVOL DCPROMO new server to remove DC
    functionality Power off new server Remove entries in sites and services
    relating to the the new server if still there Remove new server computer
    account Done

    Good luck and don't forget to check the rest of your LAN for pesky malware
    Of course if the compromise is AD aware you may not be able to get rid it
    this way, but that is pretty unlikely. Anyone else comment??

    Cheers

    JamesD

    -----Original Message-----
    From: Dan Uscatu [mailto:duscatulunatech.ro]
    Sent: 23 January 2003 08:17
    To: focus-mssecurityfocus.com
    Subject: w2k server compromised

    hey all

    i just found one of the w2k servers to be infected and acting very
    strangely. unfortunately it is a domain controller and it has all the
    users/computers lists.

    how can i export these before reinstall in order to keep the exact same
    configuration (everything except passwords of course) ? i suppose this could
    be usefull to be done on a regular basis too...

    TIA

    For the protection of our internal systems and those of our customers,
    MIP/Best Software blocks most email attachments. Please use plain text when
    corresponding via email with MIP/Best Software.