Ransomware and SYSVOL folder

Question

Hello,

I have an old setup with 4 Domain Controllers 3 Windows Server 2003 and one Windows 2008 R2. Last Week we had a Ransomware attack and it corrupted the SYSVOL folder. I have Recent AD back which I restored in my Lab and copied the clean SYSVOL folder to the existing SYSVOL (deleted the Contents in Sysvol).
Reference Server is build and changed the Registry value to D4 and all other ADC I did D2 after restarting the ntrs and netlogon I see

NtFrs_PreExisting___See_EventLog in the SYSVOL, how can I avoid this ?

https://support.microsoft.com/en-us/help/315457/how-to-rebuild-the-sysvol-tree-and-its-content-in-a-domain

Answer 1

Hi,

From the similar cases, NtFrs_PreExisting___See_EventLog can be resolved by SYSVOL authoritative restore.
https://social.technet.microsoft.com/Forums/en-US/3af53baa-f4ef-406e-bc4f-427a18f73e11/sysvol-showing-ntfrspreexistingseeeventlog-folder-and-no-guids?forum=winserverDS
https://social.technet.microsoft.com/Forums/windowsserver/en-US/a10cb4fb-459d-4e43-86ba-fb8a2f85e982/ad-file-replication-errors-lead-to-syslogntfrspreexistingseeeventlog-after-2k3-to-2k8-ad?forum=winserverDS

Answer 2

I have already checked those links but nothing really found. I want to know the root cause of the behavior and also I did a authoritative restore.

Answer 3

Hi,
Based on my understanding ,when there were d2,or d4 operated, the files within the sysvol on non-authoritative DCs will be placed into the folder pre-existing folder.
The placement of files in the folder pre-existing on reinitialized members is a safe guard in FRS that is designed to prevent accidental data loss. Any files destined for the replica that exist only in the local pre-existing folder and were replicated after the initial replication may then be copied to the appropriate folder.

This can't be changed .

Best Regards,