|
|
Months ago, our Exchange server was hacked and every file that wasn't open
and locked was deleted from the server. I was able to recover the server by
rebuilding the operating system, restoring the Exchange data, and repairing
server references in AD. We also upgraded our router's IDS and other
protection to minimize any chance of this happening again. Apparently at
that time, the policies directory in sysvol was deleted and that deletion was
replicated to our only other server. As we don't currently use any special
policies, this has gone unnoticed for about 6 months. The problem I'm seeing
now is that all workstations are complaining that group policy execution has
failed dozens of times a day. Other than the large number of errors in the
logs, no problems are being experienced. I would like to fix this for two
reasons: 1) troubleshooting will be easier if I don't have to wade through
hundreds of additional error messages and 2) I would like to implement a
couple simple policies. Because of the timeframe it took to notice this, no
backup contains a copy of the Policies directory. It looks like I can run
dcgpofix tool to repair this, but I noticed reports of problems with Exchange
when running this tool. I have several questions:
1) What is the easiest way to restore/rebuild this directory keeping in mind
that we don't currently have any specialized polcies and we are running an
Exchange server in this domain.
2) What affect will running dcgpofix have on my exchange server operation if
I run it?
3) Are there any post checks I should perform after running dcgpofix?
4) Given that I have our original server for this domain that is a Windows
2000 server and has been sitting in a closet for about 5 years, can I just
copy the policies from that old server into the \\domain\sysvol\domain
directory? (That is if it will even boot.)
--
Best Wishes,
Jeffery Smith
|
|
Hello Jeffery,
Please describe your complete domain setup how many servers and what roles/applications
they run.
If your exchange is domain controller and was the only DC in the domain,
you have to use a backup before the hack and will loose all data/mail from
that date on. Or extract all mailboxes to .pst files and restore them later
on.
If a server was hacked that way, you should secure your network and start
from scratch.
If the Exchange was also DC you have lost more or less the complete AD or
not? So another DC has replicated that.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
[Quoted Text] > Months ago, our Exchange server was hacked and every file that wasn't
> open and locked was deleted from the server. I was able to recover
> the server by rebuilding the operating system, restoring the Exchange
> data, and repairing server references in AD. We also upgraded our
> router's IDS and other protection to minimize any chance of this
> happening again. Apparently at that time, the policies directory in
> sysvol was deleted and that deletion was replicated to our only other
> server. As we don't currently use any special policies, this has gone
> unnoticed for about 6 months. The problem I'm seeing now is that all
> workstations are complaining that group policy execution has failed
> dozens of times a day. Other than the large number of errors in the
> logs, no problems are being experienced. I would like to fix this for
> two reasons: 1) troubleshooting will be easier if I don't have to wade
> through hundreds of additional error messages and 2) I would like to
> implement a couple simple policies. Because of the timeframe it took
> to notice this, no backup contains a copy of the Policies directory.
> It looks like I can run dcgpofix tool to repair this, but I noticed
> reports of problems with Exchange when running this tool. I have
> several questions:
>
> 1) What is the easiest way to restore/rebuild this directory keeping
> in mind
> that we don't currently have any specialized polcies and we are
> running an
> Exchange server in this domain.
> 2) What affect will running dcgpofix have on my exchange server
> operation if
> I run it?
> 3) Are there any post checks I should perform after running dcgpofix?
> 4) Given that I have our original server for this domain that is a
> Windows
> 2000 server and has been sitting in a closet for about 5 years, can I
> just
> copy the policies from that old server into the \\domain\sysvol\domain
> directory? (That is if it will even boot.)
> Jeffery Smith
>
|
|
Jeffery,
Jeffery Smith wrote:
[Quoted Text] > 1) What is the easiest way to restore/rebuild this directory keeping in mind
> that we don't currently have any specialized polcies and we are running an
> Exchange server in this domain.
You mean the SYSVOL with "directory"? There is an other server around
you mentioned. Is the directory still there? Is replication between the
two servers working? (Has it worked the last six months?)
> 2) What affect will running dcgpofix have on my exchange server operation if
> I run it?
The security settings will be resetted so that you'll have to run
domainprep from your Exchange CD again. There are KB articles around on
this - most of them directly related to the dcgpofix.
> 3) Are there any post checks I should perform after running dcgpofix?
I'm not sure whether dcgpofix will resolve your SYSVOL problem. If
SYSVOL is still existing on the other DC, I'd guess that replication is
broken and you should resolve those problems first (if possible).
> 4) Given that I have our original server for this domain that is a Windows
> 2000 server and has been sitting in a closet for about 5 years, can I just
> copy the policies from that old server into the \\domain\sysvol\domain
> directory? (That is if it will even boot.)
You have that server sitting in the closet without replication occuring
for five years? That equivalent to having it die as you can't connect it
to the domain any more. the tombstone life time is over.
cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
|
|
|
[Quoted Text] >Please describe your complete domain setup how many servers and what
>roles/applications they run.
We have two servers, both are domain controllers, one is an exchange server,
the second is a file/print/dhcp/dns/etc server.
>If your exchange is domain controller and was the only DC in the domain,
>you have to use a backup before the hack and will loose all data/mail from
>that date on. Or extract all mailboxes to .pst files and restore them later
>on.
Our exchange server was not the only DC, and everything seems to be running
fine except for the missing policies directory. I just don't know how to put
that directory back. Siince it's been so long before I noticed it, our
backups have been overwritten and I don't have another copy of the policies
directory. On the good side, we were not using any policies. As a note,
both servers are missing the policies directory. I assume when the exchange
server got hacked, that the removal of the directory was replicated. I don't
know any other reason why it would have dissapeared from both servers.
>If a server was hacked that way, you should secure your network and start
>from scratch.
Done and done.
>If the Exchange was also DC you have lost more or less the complete AD or
>not? So another DC has replicated that.
Yes, we replicated the AD from our second server after I rebuilt the
exchange server. Again, everything appears to be okay except for the missing
policies directory. I just don't know how best to fix this without a backup
of the directory.
|
|
|
[Quoted Text] >> 1) What is the easiest way to restore/rebuild this directory keeping in
mind
>> that we don't currently have any specialized polcies and we are running an
>> Exchange server in this domain.
>
>You mean the SYSVOL with "directory"? There is an other server around
>you mentioned. Is the directory still there? Is replication between the
>two servers working? (Has it worked the last six months?)
The policies directory is missing from both servers. I'm assuming that when
it was whacked on one, it replciated the removal to all. I don't know why
else it would be gone. I see some errors in the File Replication Service log,
but nothing of late. I'd expect lots of errors with this missing directory,
but I guess the system isn't overly concerned.
>> 2) What affect will running dcgpofix have on my exchange server operation if
>> I run it?
>
>The security settings will be resetted so that you'll have to run
>domainprep from your Exchange CD again. There are KB articles around on
>this - most of them directly related to the dcgpofix.
Do you think this would be the best way to correct this missing policies
directory, or is there another method?
>> 3) Are there any post checks I should perform after running dcgpofix?
>
>I'm not sure whether dcgpofix will resolve your SYSVOL problem. If
>SYSVOL is still existing on the other DC, I'd guess that replication is
>broken and you should resolve those problems first (if possible).
Nope, no policies directory under sysvol on the other server either and
hardly any errors in the replication logs.
>> 4) Given that I have our original server for this domain that is a Windows
>> 2000 server and has been sitting in a closet for about 5 years, can I just
>> copy the policies from that old server into the \\domain\sysvol\domain
>> directory? (That is if it will even boot.)
>
>You have that server sitting in the closet without replication occuring
>for five years? That equivalent to having it die as you can't connect it
>to the domain any more. the tombstone life time is over.
It was demoted and removed 5 years ago. I'm just assuming that the
\\domain\sysvol\domain\policies directory still exists there. I don't even
know if it will turn back on. I'm just clutching at straws. We also have
full server backups on DLT tape drives, but our DLT drive died about 3 months
ago, and I can't justify spending $1,200 to replace it for this issue that is
having very little impact on us currently.
Thanks,
Jeff
|
|
I might be making this question too complex. The question I need answered is:
I have a two server domain with the \\domain\sysvol\domain\policies
directory missing from both servers. What is the best way to restore it if I
don't have a backup of this directory?
Thanks,
Jeff
|
|
|