Windows: 2012 Server: Restoration of server from ransomware brute force attack – Real time experience

First of all, it’s a lengthy article, but interesting one.

Its all about restoring your windows server from ransomware attacks, we worked for straight 14 hours to restore the server from ransomware attack.
How the server is configured?

Installed with windows server 2012
Hosted with AD, DNS and File Server
ESET Remote Administrator and Antivirus was installed
Remote desktop to server was enabled through Natting using public IP
hMailServer as mail server was installed
Shadow copies were enabled on important data drives
Automated full backups were scheduled to run every six hours (as we have less data and high amount of space)
Some third party ERP solutions was also installed

What happened to the server?

Server was infected by ransomware named “!!! READ THIS - IMPORTANT !!!.hta”, which ever folder you open you will see a copy of this file.
It has encrypted all data on the server including our full back up files
ESET was uninstalled when we noticed the server was infected
All the files were renamed with…

Windows : Dump Analysis using WinDbg Tool

Hey folks, I'm back with another interesting topic of regular work lives as a windows administrator. It’s the great dump analysis using windbg tool. I found it doing very difficult when I am assigned this task, but as of now I am doing the dump analysis very comfortably, experience really matters guys !!!
Dump Analysis in Windows :
First of all there are 3 types of dumps can configured in windows

Complete memory dump - A complete memory dump records all the contents of system memory when your computer stops unexpectedly.

Kernel memory dump - A kernel memory dump records only the kernel memory. This speeds up the process of recording information in a log when your computer stops unexpectedly

Small memory dump - A small memory dump records the smallest set of useful information that may help identify why your computer stopped unexpectedly

Secondly you can only configure windows to generate only one kind of dump file when the unexpected shutdown occurs, to configure you need to open Advanc…

Windows and VMware : System Admin Responsibilities

Hey folks…

Its been a very long time since my last post, apologize for not being in touch with our community since last few days and I will try to keep this blog updated as much as I can. I have been receiving so many emails about Windows Admin Responsibilities, so I though of publishing the real time information which can be useful for most of us.

I have gained 10+ years of experience in this industry by working in various roles till date, I am going to extract the useful information out of this experience and make it a readable resource.

Instead of listing out regular responsibilities from job portals I will list out my responsibilities from various companies which makes this post more useful and realistic

I am not saying that these responsibilities are same for one and all, they will change accordingly depending on accepted roles at times, hence don't consider these as benchmarks.
Here comes my responsibilities so far.
Company 1 (Entry level)

Windows desktops management and administr…

Windows : 10 things to know and practice to improve confidence

My main intention of this post is to prepare guys who are willing to attend job interviews real soon, specially as Windows Administrators. Just want to help them with what are major areas that needs extra concentration.

1. New features in Windows 2008
64bit OS


Roles Based Administration

Active Directory comes as service

Read Only Domain Controller

IP v6

UAC (User access control) based administration

MMC 3.0
2. Active Directory Files
There are few files associated with Active Directory, which  are mandatory for AD operations

NTDS.DIT   - Main database file for active directory, which stores every piece of information. 

EDB.LOG   - All the AD transactions will be first written to this file and later they will be committed to NTDS.DIT during off peak hours.

RES1.LOG  - Its a 10MB file created when we run dcpromo and used as reserved space for AD transactions when drive is filled up

RES2.LOG - Its another 10MB file created when we run dcpromo and used as reserved space for AD transactions whe…

Advanced : VMware HA Important Points

VMWare HA Important Points

HA maintains the high availability of virtual machines when an event of host failure / isolation occurs by powering on them on running hosts.
Every host in cluster exchanges its heartbeat with other hosts to notify them that it is alive.
A host is declared as isolated when its heartbeat is not received within 12 seconds.
A host is declared as dead when its heartbeat is not received within 15 seconds, we can increase this duration to avoid false positives by defining an advanced setting das.failuredetectioninterval in vCenter.
If we set das.failuredetectioninterval to 60 seconds we can avoid false isolations, which means if an isolated host comes back within 60 seconds VM’s will continues to run on the same host, which means HA will never interfere.
When a host is declared as isolated after defined interval isolation response will be executed on that host.

If isolated response is set to “Leave Powered on” the vm’s will continues to run on the isolated, however if an…

Windows : Directory Services Restore Mode DSRM : Resetting Password

DSRM is similar to Safe Mode in Windows. But this is designed to perform any kind of restore operations related to Active Directory. This mode is not available in desktop operating systems. It comes into picture only with the installation of Active Directory on server operating systems. With in DSRM we can restore Active Directory database from its back up authoritatively and non-authoritatively.
So how to enter DSRM?
Reboot the machine and press F8, where you will see an option saying Directory Services Restore Mode.
What account to be used with DSRM?
Generally when you run DCPROMO, the wizard will ask us to set a password for DSRM Password. This password is for local administrator. So we need to user local administrator account instead of domain administrator. In fact domain administrator account will not be available in DSRM.
So how to reset DSRM password, if we forget?
We can reset the DSRM password using NTDSUTIL. Let’s see how to do it in below video.

Subscribe now to get updated post…

Windows : Playing with FSMO Roles : Transferring

In this article, I would like to show how to transfer FSMO roles from one domain controller to other. In the last article we discussed about Seizing FSMO Roles. Seizing can be done only when the primary domain controller is down and inaccessible. But if we are able to assign the roles from Primary to Secondary that process is called as Transferring. In this scenario both the domain controllers are available online and communicating with each other. This kind of process is implemented when some one wants to reboot one of their domain controller (preferably the primary). Before rebooting the primary it’s a must to transfer all the roles to secondary to avoid authentication issues in the network. It’s a recommended proactive task. Enough talk, lets see the video.
Transferring FSMO roles using Graphical Interface

Transferring FSMO roles using NTDSUTIL (From command line)

Please subscribe now to get latest articles and videos to your INBOX directly.

Related Posts

Active Directory Interview Ques…