So this happened on the DC itself? My first thought in a normal DC configuration and practice, is if the person with the infected PC was able to write over the network to that DC, they would be able to write to any of them.
I think the only other way for this to happen would be if a user logged on to the DC interactively somehow launched the malware on the DC itself. It seems in most cases that would mean going to a malicious site from the DC. If the other DCs are unaffected, I think your best bet would be to try and transfer the PDC role and any others that it might hold to a different DC, do the metadata cleanup, then build an entirely new DC with a new name. If you can’t transfer the FSMO role(s), then you can seize them on a different DC using ntdsutil. *From:* [email protected] [mailto: [email protected]] *On Behalf Of *D R *Sent:* Friday, June 12, 2015 2:26 PM *To:* ntsysadm *Subject:* [NTSysADM] OT(perhaps) But need direction I am currently onsite working with the IT Admin about a new online ticketing system. Around 12:45pm, I was logged in to the Primary DC via a remote desktop connection from a company provided laptop, wasn't doing a thing, (seriously, I didn't have anything open, had just logged into the server, and I see a window pop-up that looked like a CMD/DOS window, and on the title of that window, in capital letters, it read CRYPTOWALL HAS TAKEN OVER, and then it looks like File Manager screens start popping up and the server starts running to a crawl. I have dealt with this Cryptowall Virus before And the only resolution was to reinstall Windows Server and restore from backup. Is this still the 'fix' for this issue? Or is there something else that can be done. Not in the position to try anything. Just need to know where to go from here so we can help them with this issue. -- Daniel Rodriguez [email protected]
