Try to sync from the non-infected DC with the infected DCs (as being the inbound replication partners for the non-infected DC), transfer the FSMO roles from the infected DCs to the non-infected DC. From now you can do it in two ways: * Clean the infected DCs (offline) by installing antivirus software with the latest virus definition files OR * Kill the DCs, clean-up metadata for those DCs and rebuild them and finally transfer the FSMO roles back accordingly. Before killing the DCs you could install an additional (safety) DC so that after you remove/kill the infected DCs your forest root domain still has 2 DCs. Reason: If you only have one DC for your root domain and that one also dies, then your forest is dead and needs to be rebuilded unless you have good backups for your forest root DCs.
In my opinion each Windows machine connected to the network (and I don't care what role or function it has!) should (MUST) have the latest virusscan engine and definitions and each windows machine should be patched to the latest possible security patches! Two measures that will mitigate the risk of security problems and virus attacks (locally or remotely) on Windows machines connected to the network Cheers Jorge -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala Sent: Tuesday, March 29, 2005 19:51 To: [email protected] Subject: [ActiveDir] AD/ Virus outbreak Hi, I have 3 DC's in a protected root domain and 2 child domains. Unfortunately the 3 root DC's were not running a virus client, totally missed....anyway. Looks like it is using known Windows exploitability to drop files and what not. 2 of the 3 seem to be infected. (ones with the Schema Master & DNM and PDCE) If I have to rebuild can I at least for the interim transfer the above roles on the 3rd DC (with the RIDM and IM)? GC is on 1 & 2 as well. Thanks, List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
