After a Month Turned Off, Member Server Behaves as Domain Controller on Reboot

[Guest Will]

In our test lab, we have a Windows 2000 member server behaving as an

dedicated DHCP server. This computer is not nor has it ever been a domain

controller.

 

After a power problem in that part of the lab, the DHCP server was turned

off for a month. Today on power on the computer refuses to finish booting,

claiming that we need to go into Directory Services Recovery Mode. Going

into Safe Mode, I see that the server has elements of a domain controller's

configuration, such as the Link Tracking Server, and the Kerberos Key Server

services are in Automatic mode. But event viewer messages during the

normal boot have complaints that the Active Directory services cannot start

for various reasons, such as the SYSVOL has been removed.

 

Quite a few machines in this lab were hacked in the past and are probably

still hacked and this machine could be one of them. But I'm still at a

loss for the above behavior, and what could have triggered it after a month

powered off?

 

--

Will

[Guest Meinolf Weber]

Re: After a Month Turned Off, Member Server Behaves as Domain Controller on Reboot

 

Hello Will,

 

Check the event viewer in detail and you should find the day when it was

promoted to a domain controller. Even if it was not you. And as you say,

if some machines where hacked and people have access to them, they could

also play around with them. I think the main problem in your case is, that

YOU have to control the access to the hardware as the administrator, according

to your company policies.

 

So how could we help you to control this? And one will be sure, the machine

will NOT install itself whatever role, software or whatever. Always somebody

is sitting before that computer.

 

Best regards

 

Meinolf Weber

Disclaimer: This posting is provided "AS IS" with no warranties, and confers

no rights.

** Please do NOT email, only reply to Newsgroups

** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> In our test lab, we have a Windows 2000 member server behaving as an

> dedicated DHCP server. This computer is not nor has it ever been a

> domain controller.

>

> After a power problem in that part of the lab, the DHCP server was

> turned off for a month. Today on power on the computer refuses to

> finish booting, claiming that we need to go into Directory Services

> Recovery Mode. Going into Safe Mode, I see that the server has

> elements of a domain controller's configuration, such as the Link

> Tracking Server, and the Kerberos Key Server services are in Automatic

> mode. But event viewer messages during the normal boot have

> complaints that the Active Directory services cannot start for various

> reasons, such as the SYSVOL has been removed.

>

> Quite a few machines in this lab were hacked in the past and are

> probably still hacked and this machine could be one of them. But I'm

> still at a loss for the above behavior, and what could have triggered

> it after a month powered off?

>

[Guest Will]

Re: After a Month Turned Off, Member Server Behaves as Domain Controller on Reboot

 

There is no record in the eventviewer of a domain controller promotion.

There is a clear history of events up until the day it was powered off that

are consistent with a dedicated DHCP server. Then, suddenly, one month

later out of nowhere it is assuming domain controller like behaviors. The

event viewer messages are things like complaints that directory services

cannot be started because SYSVOL is absent.

 

The computer is in a low security lab, well separated by firewall from

anything important. It is by design a low security area. But even with

that in mind, there does NOT appear to have been a formal dcpromo performed.

The computer behaves more like some registry entries were hacked to make the

machine try to start up directory services at startup, even though it is not

in a state where such services can be run.

 

The bottom line is do I have any way to stop this behavior? I cannot

dcpromo it out of this state. I can only start the computer in safe mode,

and you cannot run dcpromo in safe mode. I can set any service I want to

disabled state to try to get the computer bootable in a normal mode of

operation, then run a dcpromo demotion and force it and see what that gives.

 

--

Will

 

"Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message

news:ff16fb668bd938ca483a65b6cf7b@msnews.microsoft.com...

> Hello Will,

>

> Check the event viewer in detail and you should find the day when it was

> promoted to a domain controller. Even if it was not you. And as you say,

> if some machines where hacked and people have access to them, they could

> also play around with them. I think the main problem in your case is, that

> YOU have to control the access to the hardware as the administrator,

> according to your company policies.

>

> So how could we help you to control this? And one will be sure, the

> machine will NOT install itself whatever role, software or whatever.

> Always somebody is sitting before that computer.

>

> Best regards

>

> Meinolf Weber

> Disclaimer: This posting is provided "AS IS" with no warranties, and

> confers no rights.

> ** Please do NOT email, only reply to Newsgroups

> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

>

>> In our test lab, we have a Windows 2000 member server behaving as an

>> dedicated DHCP server. This computer is not nor has it ever been a

>> domain controller.

>>

>> After a power problem in that part of the lab, the DHCP server was

>> turned off for a month. Today on power on the computer refuses to

>> finish booting, claiming that we need to go into Directory Services

>> Recovery Mode. Going into Safe Mode, I see that the server has

>> elements of a domain controller's configuration, such as the Link

>> Tracking Server, and the Kerberos Key Server services are in Automatic

>> mode. But event viewer messages during the normal boot have

>> complaints that the Active Directory services cannot start for various

>> reasons, such as the SYSVOL has been removed.

>>

>> Quite a few machines in this lab were hacked in the past and are

>> probably still hacked and this machine could be one of them. But I'm

>> still at a loss for the above behavior, and what could have triggered

>> it after a month powered off?

>>

>

>