1

I have a standalone domain controller that was recently compromised. I've isolated it and cleaned it up, but I need to set about replacing it.

I've built a replacement, however when I try and join the domain, I'm getting 'The network path was not found'. It does prompt for credentials, so its like it can see the domain, but after about 30 seconds, it errors.

enter image description here

I've googled the hell out of this and I've tried various things with no success so far.

I believe DCDiag has shed some light on the cause of the issue, however I've not sure where to go from here...

 Performing initial setup:
 Trying to find home server...
 Home Server = {machinename}

[{machinename}] Directory Binding Error 1722:
The RPC server is unavailable.
This may limit some of the tests that can be performed.
* Identified AD Forest.
Done gathering initial info.

Testing server: Default-First-Site-Name\{machinename}
  Skipping all tests, because server {machinename} is not responding to directory service requests.

Any help or suggestions welcome!

John
  • 541
  • 4
  • 17
  • 34
  • 2
    You should restore the compromised DC from backup. – joeqwerty Nov 10 '18 at 16:40
  • @joeqwerty If I had a valid backup, we wouldn't be having this conversation :) – John Nov 10 '18 at 16:48
  • 1
    Start with this - https://support.microsoft.com/en-us/help/2102154/active-directory-replication-error-1722-the-rpc-server-is-unavailable – joeqwerty Nov 10 '18 at 16:52
  • 1
    ok, so things seem to point at DNS initially, but now I'm doubtful. I've removed the DNS zones with msdcs in them and tried to auto-rebuild, which failed as the netlogon service failed to stop. I then manually rebuilt the DNS structure using a clean working DC from another domain as reference. :) Still, trying to join the domain gives a 'network path was not found' error. – John Nov 10 '18 at 21:07
  • I have checked the contents of HKLM\Software\Microsoft\Rpc,and it all seems in order, matches up as it should. – John Nov 10 '18 at 21:13
  • I noticed that I can see the domain shares (sysvol etc) by browsing to 127.0.0.1 from the DC, but I cannot access any shares whatsoever from any other machine using the DC's IP (192.168.3.251). – John Nov 10 '18 at 21:32
  • I bet the logon service is stoped or paused. – bjoster Jan 04 '19 at 16:01

0 Answers0