AR-10135536-17 – North Korean Trojan: KEYMARBLE

#1224670: AR-10135536-17 – North Korean Trojan: KEYMARBLE

This Malware Analysis Report (MAR) is the result of analytic efforts between Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). Working with U.S. Government partners, DHS and FBI identified Trojan malware variants used by the North Korean government. This malware variant has been identified as KEYMARBLE. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra.

DHS and FBI are distributing this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity.

This MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions and recommended mitigation techniques. Users or administrators should flag activity associated with the malware, report the activity to the DHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.

This malware report contains analysis of one 32-bit Windows executable file, identified as a Remote Access Trojan (RAT). This malware is capable of accessing device configuration data, downloading additional files, executing commands, modifying the registry, capturing screen shots, and exfiltrating data.

For a downloadable copy of IOCs, see:

MAR-10135536-17.stix

Submitted Files (1)

e23900b00ffd67cd8dfa3283d9ced691566df6d63d1d46c95b22569b49011f09 (704d491c155aad996f16377a35732c...)
IPs (3)

100.43.153.60

104.194.160.59

212.143.21.43
Findings
e23900b00ffd67cd8dfa3283d9ced691566df6d63d1d46c95b22569b49011f09
Tags

trojan
Details
Name 704d491c155aad996f16377a35732cb4
Size 126976 bytes
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 704d491c155aad996f16377a35732cb4
SHA1 d1410d073a6df8979712dd1b6122983f66d5bef8
SHA256 e23900b00ffd67cd8dfa3283d9ced691566df6d63d1d46c95b22569b49011f09
SHA512 0092900bf4ca71c17a3caa225a4d7dcc60c7b58f7ffd173f46731db7f696e34b2e752aefaf9cedc27fe76fe317962a394f1be2e59bd0cffaabd9f88cc4daedcc
ssdeep 3072:IDdXEYhXxS550wwiY0Pe6Q1vLo4lJnCtea:EXEEXxcQxZ
Entropy 6.264656
Antivirus
Ahnlab Trojan/Win32.Agent
Antiy Trojan/Win32.AGeneric
Avira TR/Agent.rhagj
BitDefender Trojan.GenericKD.4837544
ESET a variant of Win32/NukeSped.H trojan
Emsisoft Trojan.GenericKD.4837544 (B)
Ikarus Trojan.Agent
K7 Trojan ( 0050e4401 )
McAfee GenericRXBP-FF!704D491C155A
NANOAV Trojan.Win32.Agent.eqcfki
NetGate Trojan.Win32.Malware
Quick Heal Trojan.IGENERIC
Symantec Process timed out
TACHYON Trojan/W32.Agent.126976.CTO
Zillya! Trojan.NukeSped.Win32.5
Yara Rules
hidden_cobra_consolidated.yara rule rsa_modulus { meta: Author="NCCIC trusted 3rd party" Incident="10135536" Date = "2018/04/19" category = "hidden_cobra" family = "n/a" description = "n/a" strings: $n = "bc9b75a31177587245305cd418b8df78652d1c03e9da0cfc910d6d38ee4191d40" condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them }
ssdeep Matches

No matches found.
PE Metadata
Compile Date 2017-04-12 11:16:04-04:00
Import Hash fc7dab4d20f23681313b91eba653aa21
PE Sections
MD5 Name Raw Size Entropy
47f6fac41465e01dda5eac297ab250db header 4096 0.627182
30d34a8f4c29d7c2feb0f6e2b102b0a4 .text 94208 6.633409
77f4a11d375f0f35b64a0c43fab947b8 .rdata 8192 5.054283
d4364f6d2f55a37f0036e9e0dc2c6a2b .data 20480 4.416980
Packers/Compilers/Cryptors
Microsoft Visual C++ v6.0
Relationships
e23900b00f... Connected_To 104.194.160.59
e23900b00f... Connected_To 212.143.21.43
e23900b00f... Connected_To 100.43.153.60
Description

This application is a malicious 32-bit Windows executable file, which functions as a RAT. When executed, it de-obfuscates its application programming interfaces (APIs) and using port 443, attempts to connect to the hard-coded IP addresses listed below. After connecting, the malware waits for further instructions.

--Begin hard-coded IP addresses--
100.43.153.60
104.194.160.59
212.143.21.43
--End hard-coded IP addresses--

Static analysis reveals that this RAT uses a customized XOR cryptographic algorithm displayed in Figure 1 to secure its data transfers and command-and-control (C2) sessions. It is designed to accept instructions from the remote server to perform the following functions:

--Begin functions--
Download and upload files
Execute secondary payloads
Execute shell commands
Terminate running processes
Delete files
Search files
Set file attributes
Create registry entries for storing data:(HKEY_CURRENT_USER\SOFTWARE\Microsoft\WABE\DataPath)
Collect device information from installed storage devices (disk free space and their type)
List running processes information
Capture screenshots
Collect and send information about the victim's system (operating system, CPU, MAC address, computer name, language settings, list of disk devices and their type, time elapsed since the system was started, and unique identifier of the victim's system)
--End functions--
Screenshots
Figure 1 - Screenshot of the cryptographic algorithms the malware used to secure its data transfers and C2 sessions.

Figure 1 - Screenshot of the cryptographic algorithms the malware used to secure its data transfers and C2 sessions.
100.43.153.60
Ports

443 TCP

Whois

Domain Name: KRYPT.COM
Registry Domain ID: 4620809_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Updated Date: 2016-02-25T03:39:29Z
Creation Date: 1998-05-04T04:00:00Z
Registry Expiry Date: 2024-05-03T04:00:00Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: 480-624-2505
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Name Server: NS1.CF.KRYPT.COM
Name Server: NS2.CF.KRYPT.COM
Name Server: NS3.CF.KRYPT.COM
DNSSEC: signedDelegation
DNSSEC DS Data: 2371 13 2 503AEB51F773BBCA00DB982C938895EF147DDC7D48A4E1E6FD0FE5BE7B98DA0D
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
Last update of whois database: 2018-06-28T02:39:11Z
Relationships
100.43.153.60 Connected_From e23900b00ffd67cd8dfa3283d9ced691566df6d63d1d46c95b22569b49011f09
104.194.160.59
Ports

443 TCP

Whois

Domain Name: SERVPAC.COM
Registry Domain ID: 81803816_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Updated Date: 2013-12-27T04:46:10Z
Creation Date: 2001-12-31T08:29:34Z
Registry Expiry Date: 2018-12-31T08:29:34Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: 480-624-2505
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Name Server: NS1.SERVPAC.COM
Name Server: NS2.SERVPAC.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
Last update of whois database: 2018-06-28T02:40:41Z
Relationships
104.194.160.59 Connected_From e23900b00ffd67cd8dfa3283d9ced691566df6d63d1d46c95b22569b49011f09
212.143.21.43
Ports

443 TCP

Whois

netnum: 212.143.21.0 - 212.143.21.63
netname: Nana10-LAN
descr: Nana10-LAN
country: IL
admin-c: NV6695-RIPE
tech-c: NV6695-RIPE
status: ASSIGNED PA
mnt-by: NV-MNT-RIPE
created: 2011-02-17T09:16:56Z
last-modified: 2011-02-17T09:16:57Z
source: RIPE

person: Nana 10 LTD
address: 1 Korazin str
address: Givataim, Israel, 53583
mnt-by: NV-MNT-RIPE
phone: +972-73-7992000
fax-no: +972-73-7992220
e-mail: domains@nana10.net.il
nic-hdl: NV6695-RIPE
created: 2010-08-04T09:51:11Z
last-modified: 2011-02-17T09:01:21Z
source: RIPE

% Information related to '212.143.0.0/16AS1680'

route: 212.143.0.0/16
descr: 013 Netvision Network
origin: AS1680
mnt-by: NV-MNT-RIPE
created: 1970-01-01T00:00:00Z
last-modified: 2009-03-26T10:55:12Z
source: RIPE
Relationships
212.143.21.43 Connected_From e23900b00ffd67cd8dfa3283d9ced691566df6d63d1d46c95b22569b49011f09
Relationship Summary
e23900b00f... Connected_To 104.194.160.59
e23900b00f... Connected_To 212.143.21.43
e23900b00f... Connected_To 100.43.153.60
100.43.153.60 Connected_From e23900b00ffd67cd8dfa3283d9ced691566df6d63d1d46c95b22569b49011f09
104.194.160.59 Connected_From e23900b00ffd67cd8dfa3283d9ced691566df6d63d1d46c95b22569b49011f09
212.143.21.43 Connected_From e23900b00ffd67cd8dfa3283d9ced691566df6d63d1d46c95b22569b49011f09

First Aid IOCs; 100.43.153.60 104.194.160.59 212.143.21.43

SMTP Relay for Office 365 in Server 2008/2012

Sendmail with squirel

Setup Mail Server using Postfix, Dovecot and SquirrelMail in CentOS/RHEL/Scientific Linux 6.3 step by step

Before install postfix, remove sendmail from the server. Because sendmail is the default MTA in Redhat/CentOS.

[root@server ~]# yum remove sendmail

Prerequisites:

• The mail server should contain a valid MX record in the DNS server. Navigate to this link how to setup DNS server.
• Firewall and SELinux should be disabled.

[root@server ~]# service iptables stop
[root@server ~]# service ip6tables stop
[root@server ~]# chkconfig iptables off
[root@server ~]# chkconfig ip6tables off

[root@server ~]# vi /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

Reboot the server.

Scenario

In this tutorial my test box

Hostname     = server.ostechnix.com

IP Address    = 192.168.1.200/24

And my server is configured with proper MX record in DNS server.

Installation

Postfix is installed by default. If it is not installed, use the below command to install postfix.

[root@server ~]# yum install postfix

Configuration

Open the postfix config file /etc/postfix/main.cf. Find the below lines and edit them as shown below.

[root@server ~]# vi /etc/postfix/main.cf
myhostname = server.ostechnix.com ##line no 75 - uncomment and enter your host name
mydomain = ostechnix.com  ##line no 83 - uncomment and enter your domain name 
myorigin = $mydomain  ##line no 99 - uncomment
inet_interfaces = all  ##line no 116 - change to all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain  ##line no 164 - add $domain at the end
mynetworks = 192.168.1.0/24, 127.0.0.0/8  ##line no 264 - uncomment and add your network range
home_mailbox = Maildir/  ##line no 419 - uncomment

Start the postfix service.

[root@server ~]# service postfix start
Starting postfix:                                          [  OK  ]
[root@server ~]# chkconfig postfix on

Test Postfix

The commands shown in bold letters should be entered by the user. 

Note: The dot after the test command is important.

[root@server ~]# telnet localhost smtp
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 server.ostechnix.com ESMTP Postfix
ehlo localhost
250-server.ostechnix.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:<user1>
250 2.1.0 Ok
rcpt to:<user1>
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
test
.
250 2.0.0 Ok: queued as 117113FF18
quit
221 2.0.0 Bye
Connection closed by foreign host.

Check Mail

Navigate to the user mail directory and check for the new mail.

[root@server ~]# cd /home/user1/Maildir/new/[root@server new]# ls
1360236956.Vfd00I35afM181256.server.ostechnix.com
[root@server new]# cat 1360236956.Vfd00I35afM181256.server.ostechnix.com Return-Path: <user1@ostechnix.com>
X-Original-To: user1
Delivered-To: user1@ostechnix.com
Received: from localhost (localhost [IPv6:::1])
 by server.ostechnix.com (Postfix) with ESMTP id 117113FF18
 for <user1>; Thu,  7 Feb 2013 17:05:32 +0530 (IST)
Message-Id: <20130207113547.117113FF18@server.ostechnix.com>
Date: Thu,  7 Feb 2013 17:05:32 +0530 (IST)
From: user1@ostechnix.com
To: undisclosed-recipients:;
test

Thats it. Postfix working now.

Install Dovecot

[root@server ~]# yum install dovecot

Configure Dovecot

Open the dovecot config file /etc/dovecot/dovecot.conf. Find and uncomment the line as shown below.

[root@server ~]# vi /etc/dovecot/dovecot.conf
protocols = imap pop3 lmtp

Open the file /etc/dovecot/conf.d/10-mail.conf and uncomment the line as shown below.

[root@server ~]# vi /etc/dovecot/conf.d/10-mail.conf
mail_location = maildir:~/Maildir  ##line no 24 - uncomment

Open the /etc/dovecot/conf.d/10-auth.conf and edit as shown below.

[root@server ~]# vi /etc/dovecot/conf.d/10-auth.conf
disable_plaintext_auth = no  ##line no 9 - uncomment and change from yes to no.
auth_mechanisms = plain login  ##line no 97 - add the text "login"

Open the /etc/dovecot/conf.d/10-master.conf and edit as shown below.

unix_listener auth-userdb {
    #mode = 0600
    user = postfix  ##line no 83 - uncomment and enter postfix
    group = postfix  ##line no 84 - uncomment and enter postfix

Start the dovecot service.

[root@server ~]# service dovecot start
Starting Dovecot Imap:                                     [  OK  ]
[root@server ~]# chkconfig dovecot on 

Test Dovecot

The commands shown in bold should be entered by the user.

[root@server ~]# telnet localhost pop3
Trying ::1...
Connected to localhost.
Escape character is '^]'.
+OK Dovecot ready.
user user1
+OK
pass user1
+OK Logged in.
list
+OK 1 messages:
1 428
.
retr 1
+OK 428 octets
Return-Path: <user1@ostechnix.com>
X-Original-To: user1
Delivered-To: user1@ostechnix.com
Received: from localhost (localhost [IPv6:::1])
 by server.ostechnix.com (Postfix) with ESMTP id 117113FF18
 for <user1>; Thu,  7 Feb 2013 17:05:32 +0530 (IST)
Message-Id: <20130207113547.117113FF18@server.ostechnix.com>
Date: Thu,  7 Feb 2013 17:05:32 +0530 (IST)
From: user1@ostechnix.com
To: undisclosed-recipients:;
test
.
quit 
+OK Logging out.
Connection closed by foreign host.
[root@server ~]# 

Dovecot is working now.

Install Squirrelmail

Install EPEL repository first. And install SquirrelMail package from EPEL repository.

[root@server ~]# wget http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
[root@server ~]# rpm -ivh epel-release-6-8.noarch.rpm 
[root@server ~]# yum install squirrelmail
[root@server ~]# service httpd start
Starting httpd:                                            [  OK  ]
[root@server ~]# chkconfig httpd on
[root@server ~]# 

Configure Squirrelmail

Go to the squirrelmail config directory and use the command ./conf.pl to start configure as shown below.

[root@server ~]# cd /usr/share/squirrelmail/config/
[root@server config]# ./conf.pl 
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1.  Organization Preferences
2.  Server Settings
3.  Folder Defaults
4.  General Options
5.  Themes
6.  Address Books
7.  Message of the Day (MOTD)
8.  Plugins
9.  Database
10. Languages
D.  Set pre-defined settings for specific IMAP servers
C   Turn color off
S   Save data
Q   Quit
Command >>1 

Select option 1 and set organization details.

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Organization Preferences
1.  Organization Name      : Ostechnix
2.  Organization Logo      : ../images/sm_logo.png
3.  Org. Logo Width/Height : (308/111)
4.  Organization Title     : Welcome to Ostechnix webmail
5.  Signout Page           : 
6.  Top Frame              : _top
7.  Provider link          : http://ostechnix.com
8.  Provider name          : Ostechnix
R   Return to Main Menu
C   Turn color off
S   Save data
Q   Quit
Command >>R 

Press R to return main menu and select option 2. Enter your domain name and select dovecot in the Sendmail or SMTP parameter.

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Server Settings
General
-------
1.  Domain                 : ostechnix.com
2.  Invert Time            : false
3.  Sendmail or SMTP       : SMTP
A.  Update IMAP Settings   : localhost:143 (uw)
B.  Update SMTP Settings   : localhost:25
R   Return to Main Menu
C   Turn color off
S   Save data
Q   Quit
Command >> S

Once you done, press S to save datas and press Q to exit.

Add the following lines in the httpd.conf file at the end.

[root@server ~]# vi /etc/httpd/conf/httpd.conf
Alias /squirrelmail /usr/share/squirrelmail
<Directory /usr/share/squirrelmail>
    Options Indexes FollowSymLinks
    RewriteEngine On
    AllowOverride All
    DirectoryIndex index.php
    Order allow,deny
    Allow from all
</Directory>

Restart the httpd service. 

[root@server ~]# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
[root@server ~]# 

Create Users

[root@server ~]# useradd user1
[root@server ~]# useradd user2
[root@server ~]# passwd user1
[root@server ~]# passwd user2

Open the browser from any clients. Type the following in the address bar.

http://serveripaddress/webmail

or

http://yourdomainname/webmail

Now let us compose a mail from user1 to user2. Refer a below screenshot.

Then sign-out and sign-in back from user2. 

Thats it. We have got a mail from user1. If you have any issues in the configuration, post them in the comment section.

Have a good day.

ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)?

you can still access your database and even reset your password using the command prompt. However, first you should check your my.cnf file where your password is stored.

1. Stop your MySQL server completely. This can be done by accessing the Services window inside Windows XP and Windows Server 2003, where you can stop the MySQL service.

2. Open your MS-DOS command prompt using "cmd" inside the Run window. Inside it navigate to your MySQL bin folder, such as C:\MySQL\bin using the cd command.

3. Execute the following command in the command prompt: mysqld.exe -u root --skip-grant-tables

4. Leave the current MS-DOS command prompt as it is, and open a new MS-DOS command prompt window.

5. Navigate to your MySQL bin folder, such as C:\MySQL\bin using the cd command.

6. Enter "mysql" and press enter.

7. You should now have the MySQL command prompt working. Type "use mysql;" so that we switch to the "mysql" database.

8. Execute the following command to update the password:

UPDATE user SET Password = PASSWORD('NEW_PASSWORD') WHERE User = 'root';

However, you can now run any SQL command that you wish.

After you are finished close the first command prompt and type "exit;" in the second command prompt windows to disconnect successfully. You can now start the MySQL service.

hope this helps

Setting up email server on CentOS 6.2

Setting up email server on CentOS 6.2 within 5 minutes

If you have only 5 minutes,  you can still setup an email server on CentOS 6.2. Don't waste it :)

This email server supports SMTP(TCP port 25) and IMAPS(secure IMAP,TCP port 993). Now, you can specify this as an outgoing and incoming email server on email client such as Thunderbird on your PC.

1. Install packages

Three packages are required for this. Install them if you haven't done yet.
$yum install sendmail
$yum install sendmail-cf
$yum install dovecot

The role of sendmail is to receive emails destined to you and keep them in your mailbox on email server. Then, dovecot actually delivers those emails to your PC when you open Thunderbird or Microsoft Outlook. For outgoing email, Thunderbird first contacts sendmail, then sendmail relays the email to final destination for you.

2. Configure sendmail

You just need to change 2 lines in configuration file /etc/mail/sendmail.mc

Comment out this to allow receiving email from anywhere.
dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl


Add this line
FEATURE(`relay_hosts_only')dnl

Add your PC's full hostname in this file. Create one if this file doesn't exist.

/etc/mail/relay-domains

After changing configuration file, run this command to activate it.

$/etc/mail/make
$service sendmail start

3. Configure dovecot

You just need to edit two files.

In /etc/dovecot/dovtcot.conf, just edit these two lines
protocols = imap
listen = *, ::

In /etc/dovtcot/dovecot.d/10-mail.conf, edit these 3 lines

mail_location = mbox:~/mail:INBOX=/var/mail/%u

mail_privileged_group = mail

mbox_write_locks = dotlock fcntl

Start dovecot service
$service dovecot start

4. (Optional) Reconfigure iptables only if you are already using iptables

Add these 2 lines into /etc/sysconfig/iptables to allow email to go through firewalls.

-A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 993 -j ACCEPT

then, restart iptables by
$service iptables restart

DONE

This is it. Of course, you can do more to enhance the security level of your email server. For example, you can make sendmail more secure by using SMTP over SSL. Feel free to suggest any idea about this article. Thanks.

"CON" Folder On Desktop

This is very common question in our mind that why we can’t create a folder with name CON, NUL, COM1, COM2, COM3, LPT1, LPT2, LPT3,COM1 to COM9 and LPT1 to LPT9……..

But here we will create folder with these name…….

you need to follow these steps carefully

STEP1: G oto command prompt

STEP2: and type md \\.\\”c:\con” (with quotes)

The above command will create the folder named “con” in Drive C:

To create that folder in your desktop (for Windows XP) replace the ‘c:\con’ with the FULL PATH of your Desktop, Below is an Example:

md \\.\\”C:\Documents and Settings\USER\Desktop\con” (Where USER is your USERNAME)

(You MUST specify the full path within double quotes ["] If it contains spaces)

In Windows 98, your Desktop path would be : C:\windoiws\Desktop (where C: is the drive letter if your Windows installation)

That is all about creating the folder.

BUT DON’T STOP HERE
Because after creating such a folder, you can’t delete it by simply pressing the DEL key.
To delete this kind of folder, use the same command replacing MD with RD. For example:

rd \\.\\”c:\con” (with quotes for path containing spaces)

Delete Failed DCs from Active Directory

How can I delete a failed Domain Controller object from Active Directory?

Now there’s a faster and easier way to squeeze more performance and value out of your network by activating the device capabilities you’ve already paid for!

Download the free Network Config Generator from Solarwinds and in less time than it takes to say “C-L-I”, you can be running config templates that automatically configure both common and advanced network device features.

When you try to remove a domain controller from your Active Directory domain by using Dcpromo.exe and fail, or when you began to promote a member server to be a Domain Controller and failed (the reasons for your failure are not important for the scope of this article), you will be left with remains of the DCs object in the Active Directory. As part of a successful demotion process, the Dcpromo wizard removes the configuration data for the domain controller from Active Directory, but as noted above, a failed Dcpromo attempt might leave these objects in place.
The effects of leaving such remains inside the Active Directory may vary, but one thing is sure: Whenever you'll try to re-install the server with the same computername and try to promote it to become a Domain Controller, you will fail because the Dcpromo process will still find the old object and therefore will refuse to re-create the objects for the new-old server.
In the event that the NTDS Settings object is not removed correctly you can use the Ntdsutil.exe utility to manually remove the NTDS Settings object.
If you give the new domain controller the same name as the failed computer, then you need perform only the first procedure to clean up metadata, which removes the NTDS Settings object of the failed domain controller. If you will give the new domain controller a different name, then you need to perform all three procedures: clean up metadata, remove the failed server object from the site, and remove the computer object from the domain controllers container.
You will need the following tool: Ntdsutil.exe, Active Directory Sites and Services, Active Directory Users and Computers.
Also, make sure that you use an account that is a member of the Enterprise Admins universal group.
Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality.
To clean up metadata

1. At the command line, type Ntdsutil and press ENTER.

C:\WINDOWS>ntdsutil
ntdsutil:

1. At the Ntdsutil: prompt, type metadata cleanup and press Enter.

ntdsutil: metadata cleanup
metadata cleanup:

1. At the metadata cleanup: prompt, type connections and press Enter.

metadata cleanup: connections
server connections:

1. At the server connections: prompt, type connect to server <servername>, where <servername> is the domain controller (any functional domain controller in the same domain) from which you plan to clean up the metadata of the failed domain controller. Press Enter.

server connections: connect to server server100
Binding to server100 ...
Connected to server100 using credentials of locally logged on user.
server connections:

Note: Windows Server 2003 Service Pack 1 eliminates the need for the above step.

1. Type quit and press Enter to return you to the metadata cleanup: prompt.

server connections: q
metadata cleanup:

1. Type select operation target and press Enter.

metadata cleanup: Select operation target
select operation target:

1. Type list domains and press Enter. This lists all domains in the forest with a number associated with each.

select operation target: list domains
Found 1 domain(s)
0 - DC=dpetri,DC=net
select operation target:

1. Type select domain <number>, where <number> is the number corresponding to the domain in which the failed server was located. Press Enter.

select operation target: Select domain 0
No current site
Domain - DC=dpetri,DC=net
No current server
No current Naming Context
select operation target:

1. Type list sites and press Enter.

select operation target: List sites
Found 1 site(s)
0 - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
select operation target:

1. Type select site <number>, where <number> refers to the number of the site in which the domain controller was a member. Press Enter.

select operation target: Select site 0
Site - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
Domain - DC=dpetri,DC=net
No current server
No current Naming Context
select operation target:

1. Type list servers in site and press Enter. This will list all servers in that site with a corresponding number.

select operation target: List servers in site
Found 2 server(s)
0 - CN=SERVER200,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
1 - CN=SERVER100,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
select operation target:

1. Type select server <number> and press Enter, where <number> refers to the domain controller to be removed.

select operation target: Select server 0
Site - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
Domain - DC=dpetri,DC=net
Server - CN=SERVER200,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
 DSA object - CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dpetri,DC=net
 DNS host name - server200.dpetri.net
 Computer object - CN=SERVER200,OU=Domain Controllers,DC=dpetri,DC=net
No current Naming Context
select operation target:

1. Type quit and press Enter. The Metadata cleanup menu is displayed.

select operation target: q
metadata cleanup:

1. Type remove selected server and press Enter.

You will receive a warning message. Read it, and if you agree, press Yes.