I dealing with a domain controller which was recently compromised.
There is no valid backup to recover from.I’m trying to join a new machine to the domain so that I can promote it and take over the FSMO roles So i can decom the compromised machine, however I cannot get the new machine to join the domain. The error its giving is ‘The network path could not be found’.
I noticed that the shares on the DC cannot be accessed when using its local IP (192.168.3.251), either on the DC itself or some other machines on the network.
I can see the shares, however, if i browse to 127.0.0.1.
I have tried resetting the NIC with…
- nbtstat -R
- nbtstat -RR
- netsh int reset all
- netsh int ipv4 reset
- netsh int ipv6 reset
- netsh winsock reset
But that hasnt made any difference.
Any suggestions on what I can do to get the shares working again?
Thanks in advance 🙂
Answer
Rebuild the domain, don’t try to recover anything from this DC. There is a risk that you’ll spread the virus on the new DC and you might have to deal with it for decades in the worst case.
You should take a look at the following answer: How do I deal with a compromised server ?
Attribution
Source : Link , Question Author : John , Answer Author : Swisstone