BUILD THE NEW DOMAIN

For a disaster recovery, it will most likely be necessary to remount a domain for the customer.

DEPLOY NEW SERVER

• Deploy a new server in a new isolated network.

  • This installation must not be done via a template, VM copy or other. It must be done via an ISO downloaded for the occasion.

• Achieve maximum hardening of the OS.

• Open the ports and URLs necessary for the proper functioning of the environment (at least Windows Update for the moment).

  • Use the URL.txt

Remove undesirable software

Even if the installation is new, it is important to check each component that can be uninstalled to keep only what is necessary for proper operation.

PowerShell : Use Powershell gallery

UPDATE THE OS

Once the computer is installed and hardened, it is advisable to apply all the updates available from the Internet and not from an internal share, which can be compromised.

PowerShell : Use Powershell gallery

DELETE USELESS SCHEDULED TASK AND SERVICES

Even if the installation is new, it is important to check that no unwanted or mandatory scheduled tasks are created.

• ScheduledTasks : https://learn.microsoft.com/en-us/powershell/module/scheduledtasks/get-scheduledtask?view=windowsserver2022-ps

• Services : https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-service?view=powershell-7.2

PROMOTE NEW DOMAIN CONTROLLER

• Case 1: the domain is totally compromised.

In the case of a compromised domain, no connection must be made between the compromised domain and the new domain controller. You will have to start from scratch and recreate the entire infrastructure.

• Case 2: the domain is not totally compromised.

In case the domain has been only partially compromised (the attacker has set up his ransomware but the domain controller servers are still reachable and the link with the outside world is closed, the ransomware is no longer deploying) then it is possible to transfer the FSMO roles to the new domain controller(s)

The bext step is only if your in the second case

MIGRATE FSMO ROLE

• Use this command to migrate FSMO rôle

Move-ADDirectoryServerOperationMasterRole -Identity "NewDC" -OperationMasterRole 0,1,2,3,4 -Verbose

ROLE	NUMBER
PDCEmulator	0
RIDMaster	1
InfrastructureMaster	2
SchemaMaster	3
DomainNamingMaster	4

• Check the migration

netdom query FSMO

PURGE METADATA

• Remove old domains from the Active Directory architecture

Get-ADComputer -Identity "OLD_DC" | Remove-ADObject -Recursive

• Open "Active Directory Sites and Services"

• Delete old domain controller