We were hit by a ransomware attack. Because the company hadn't invested any money into offsite backups, we only had onsite and, yeah, for all intents and purposes they are toast right now. The 2 DCs we had were fine, until someone powered on an infected machine I had powered down. Now both DC servers are at least partially encrypted. I don't see signs of the virus itself on them (yet), but I don't want to take any chances. I'm actually afraid to logout or even disconnect from DC01 for fear I won't be able to log back into it (I can't log into DC02 anymore due to the encryption).
I've powered down DC02 and using our virtual environment, spun up another server (DC03). I've added the same roles to it as what DC01 had (AD DS, DHCP, DNS, and NPAS), promoted DC03 as a DC in AD and started some work on DNS (on DC01 I've added DC03 as a Name Server), but when following guides for steps that continue to the new server, I've noticed all the zones are already visible on DC03, so I'm not sure what to do.
I really don't have the level of expertise to do all of this, but the company lacks the money to hire outside help. I've found some guides for complete replacements of DCs, but they're old (Server 2008 or older), and I'm not sure how much has changed over the versions (sorry, should mention that all of our servers are 2019 and I know I've already run across some guides saying that even going from server 2008 to 2016 require some additional steps like upgrading to 2012, first). Frankly, I don't even know what things I should be asking/looking out for. Until I was looking at some of these guides, I had never even heard of FSMO in relation to AD.
I need to get the AD, DHCP, DNS, and NPAS services transferred over to DC03, plus whatever else in there that I may not know about. NPAS I think(?) is being used for a RADIUS connection from the site's internet firewall for VPN. That said, there's some software installed on DC01 for the firewall, too, for the purposes of the web filters, so I think I'm going to engage the firewall support people to move the software and get VPN going through that instead. There's also Azure AD Connect software running on DC01, too (primarily used to sync our AD accounts with our Office 365 email accounts). That should be it.
Once all of that is transferred over, I want to shut DC01 down, then either rename and re-IP DC03 to match DC01, or spin up another DC server to match DC01's name and IP (would that be easier?). I know there have to be a lot of references and pointers to its name and IP, so I want to make sure at least something exists with it's identical info. If it makes it any easier, I think we have like less than a half dozen PCs that are still functional at this point, anyway. XD
What a nightmare this is turning into.... I need help. :(
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 53%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EF%3C/text%3E%3C/svg%3E)
