DC infected by Virus or what
jojopramos
Member Posts: 415
Hi, we have a problem on our infrastructure. Since friday, Our DC (5DC) has been problematic (authentication problem). We found out the problem because when we are remote accessing the Exchange Server, The system cannot log you on due to the following error: Access is Denied.
On our DC, we can log on to our domain account, but through exchange, the said error has been occured on logging in through terminal services. We already reformatted the DC and restored system state data, but the error re occurs again twice (every night). I need help on this..........
If you happen to encounter this issue...PLEASEEEEE
On our DC, we can log on to our domain account, but through exchange, the said error has been occured on logging in through terminal services. We already reformatted the DC and restored system state data, but the error re occurs again twice (every night). I need help on this..........
If you happen to encounter this issue...PLEASEEEEE
Comments
-
Sie Member Posts: 1,195Are you logging onto the DC Remotely or Locally?
Could be TS/Remote Permissions on the Exchange Box have these been checked?
Make sure Remote Access is configured on the Server Properties and within TS.
Also do you use Remote Access Policies within the Domain?Foolproof systems don't take into account the ingenuity of fools -
Technowiz Member Posts: 211If you can logon locally to the exchange server with the same account credentials you probably have a TS permissions issue. If you can't then something else may be going on. How many DC do you have?
-
jojopramos Member Posts: 415Hi, we have 12 DC in 2 server farm (4 for every domain). Plus 60 plus server worldwide. We are also using RDP to remote access the server. After 2 days of checking what hit our DC's, we found out that Troj_Bancos virus affected the default domain controller policy. We contacted Microsoft and ask them how to protect the DC from being infected again, and they give us some security configuration and it works. But that is after reformatting all of our 4 child domain infected by virus twice. Until now we are pointing every exchange server in the new server as the secondary DNS server and changing the FQDN in the name servers in the DNS. We are also changing replication partners in WINS. All of this because we cannot name the DC as the same name even after we use metadata cleanup. This affected our information store also as mailbox store has been dismounted. We have 6 exchange server (back end) in our site plus 1 every affiliated country which counts to 40 plus. We also instructed some sites to reformat their DC which has been infected by the virus as per Microsoft instruction. Too much workload now but hope this will not happen again....
-
doom969 Member Posts: 304Wow. Looks like a heavy problem.Doom969
__________________________________________________________
MCP (282 - 270 - 284 - 290 - 291 - 293 - 294 - 298 - 299 - 350)
MCTS (351 - 620 - 622 - 647 - 649 - 671)
MCSA / S / M - MCSE / S
MCITP (EST - EA ) - MCT
A+ - IBM - SBSS2K3 - CISCO_SMB
CompTIA : A+ -
wedge1988 Member Posts: 434 ■■■□□□□□□□use NOD32. its the best by far!~ wedge1988 ~ IdioT Certified~
MCSE:2003 ~ MCITP:EA ~ CCNP:R&S ~ CCNA:R&S ~ CCNA:Voice ~ Office 2000 MASTER ~ A+ ~ N+ ~ C&G:IT Diploma ~ Ofqual Entry Japanese -
jojopramos Member Posts: 415Opppsss...hi hetty, by the way...before commenting on not using the anti virus, on a big infrastructure like our organization(international Org), It is a no brainer if we will not purchase/install an anti virus. By the way, our anti-virus is TrendMicro (now, we are considering changing our antivirus because of this) Using Server Protect for servers and Office scan for workstation. Every Laptop that used offsite has been installed with the Internet Security 2008. I can tell you that this is really a busy week for us as our boss always tells us when it rains, it pours.....Up to now we are in close contact with Microsoft engineers because we need to identify every lopeholes we have missed plus identifying the damaged caused by this attack. It slowed down message flows for some of our sites (about 30 sites) because of replication, rediscovery of our new Global Catalog (though they have there own DC with global catalog also). Remapping all DNS, Wins Replication Partner, RADIUS(IAS) for VPN client - installed in our domain controller. We are now consedering transfering other services to member servers. BTW, things are going great now and we will just have to monitor and troubleshoot some affected servers. The good thing for this problem, we now learned our lesson and will be incorporating change management, stiffer security procedure and auditing.
-
slinuxuzer Member Posts: 665 ■■■■□□□□□□No one has mentioned it and hopefully your already doing it, but a huge step you can take to protecting your systems is to make sure that you have ALL the current security updates. The next thing you can look at is make sure you office scan has the newest patterns, we use officescan and I don't care for it at all.
Next, you should take RRAS off your Dc's, they should be running fully patched, newest anti-virus, and serving nothing other than Active directory, dns, wins, Dhcp, thats it.
If you can't log into a particular machine, you need to run the RSOP (resultant set of policy) snap-in against the troubled server and see what policy's are effecting it and from what level, maybe even try gpupdate /force first on this server to make sure it's policys are up to date.