2

Our primary domain controller, a Server 2003 R2 X64 machine, apparently had a virus for about four hours. (Why/how is a different question and witch hunt for later. The virus has been cleaned.) In that time it seems that the computer browser service and Windows firewall service were damaged.

When you try to start either service, you get "Error 1060: The specified service doesn't exist as an installed service". The Server and Workstation services are up and running. No other services appear to have been affected, but I could be wrong.

I have checked the registry settings for the computer browser and they are all correct, including MaintainServerList and IsDomainMaster. I even imported a set of correct registry settings from another machine.

We have a backup domain controller, but it is old and creaky. Our system backups turned out to be rotten back through four months, so restoring the system information would be questionable since the info would be from April.

Any advice on how to fix the broken services would be most appreciated.

Also, my security sense is tingling about just rebuilding the server since it IS the PDC and it WAS compromised, however briefly. My "OMG what a pain in the ass" sense does not want to go through that, though. If I can fix it, should I fix it or go through redoing the server?

MDMarra
  • 101,323
user130984
  • 23

2 Answers2

6

There are no PDCs and BDCs anymore. They are peers. You might want to read this Q & A written by yours truly to get a better understanding of how this all works. It will help you in recovering from this problem.

Make sure your second DC holds a copy of the global catalog. Transfer all FSMO roles to it. Demote the infected DC, format the hard drive, reinstall the OS, and promote it back to being a Domain Controller.

Community
  • 1
MDMarra
  • 101,323
1

As critical as a DC is to AD, it's one of the easiest roles to replace should it fail. As long as AD and DNS are intact and operational on another DC then my suggestion would be to wipe the affected server, remove it from AD using NTDSUTIL, remove it from DNS and reinstall the OS and the AD and DNS roles.

Make sure the remaining DC is also a GC and make sure to transfer all FSMO roles to it beforehand. If you can manage to run DCPROMO on the affected server, DCPROMO will gracefully and cleanly transfer the FSMO roles to the remaining server and will remove the affected server from AD and DNS.

joeqwerty
  • 111,849