OutkastN8 Posted April 3, 2018 Share Posted April 3, 2018 Ok so I work in a domain environment and one of my machines has somehow lost domain trust relationship. I attempted to reset the account in AD and no luck so then I think no big deal Ill log in as a local admin and then rejoin it right? Wrong. I log in as the local admin account that is standard on our network when we image a machine and somehow it is no longer part of the group "administrators." So I have a few backup accounts to try.. One being a admin account for our help desk and one service account for auditing and other use. Both of these accounts are also either not part of the local administrators group anymore or they have been disabled. I tried unplugging the network cable and logging in as well as power-shell scripts and other things from safe-mode but so far cannot get admin level access. I can login to the desktop but im stuck. How do you think these accounts got removed from the administrators group and how the machine randomly lost domain trust? Were we hacked? Link to comment Share on other sites More sharing options...
Broti Posted April 4, 2018 Share Posted April 4, 2018 Have you checked the logs for anything suspicious? Is the system reachable from somewhere outside its LAN? By the way, which OS exactly? Link to comment Share on other sites More sharing options...
barry99705 Posted April 5, 2018 Share Posted April 5, 2018 If it's just one machine, I'd just reimage it and change the domain admin passwords. Could be a virus, could just be windows being windows. Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted April 5, 2018 Share Posted April 5, 2018 Most common cause of DC trust relationships being lost is time syncing. Could be the PC's time had been changed, or the server it was grabbing time from when down for a while (or was just wrong). Daylight savings could have done that, for example, and that was only a few days ago, which makes sense because you would have encountered it at a similar time, posting here maybe a day after thinking it was a hack and going to some hacking forums to seek advice. Although, just to be safe I would re-image it and change DC passwords. Can't be too careful. Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted April 5, 2018 Share Posted April 5, 2018 I second Dave-ee on time. It has bitten me many times in an AD environment. Normally, hackers do not knock machines off the domain. They would want them to stay on the domain so they can interact with it. Of course a script kitty knows no better. Anyway, I would reimage to be safe. Since you logged in with all your Domain Admin accounts I would change those too hehe. Link to comment Share on other sites More sharing options...
The Power Company Posted April 5, 2018 Share Posted April 5, 2018 8 hours ago, PoSHMagiC0de said: Normally, hackers do not knock machines off the domain. Really? I thought that hackers were supposed to be as noisy as possible when infiltrating a network! Link to comment Share on other sites More sharing options...
OutkastN8 Posted April 19, 2018 Author Share Posted April 19, 2018 Just to update the thread you guys were right.. I spoke to the GPO team and they said in rare occasions they have seen something in the GPO knock the machine off the domain during updates on reboot and then the local admin accounts get wiped also. They were surprised that the Enterprise admin account could not be activated when they tried but I ended up having to re-image this machine to remedy the issue.. thanks to everyone who responded quickly . Link to comment Share on other sites More sharing options...
barry99705 Posted April 20, 2018 Share Posted April 20, 2018 Wow, GPO team. Big company! Link to comment Share on other sites More sharing options...
OutkastN8 Posted April 22, 2018 Author Share Posted April 22, 2018 Yea its pretty decent sized. We are under the umbrella of a company called BCG that buys up a bunch of smaller companies to leverage their ability to control the market share in that industry. The one I work for is pretty big also by itself http://www.ngkf.com/ we have about 400 offices around the world, so yea there is a team that manages GPO along with other things for us and our subsidiaries / partners. It becomes a huge mess though because as you can imagine the communication and ability to keep everyone on the same page gets more and more difficult the larger you become. I myself just do general IT but would like to move into info security in the future. Just trying to wrap my head around all ive missed over the years. Love this site and their YouTube channel though. Great source of info. Link to comment Share on other sites More sharing options...
Ittechpros Posted November 18, 2018 Share Posted November 18, 2018 If you eliminate the network conection portion. And don't have time to format etc. And you have eliminated a security breach typically I would dijoin from the domain, rename the machine, and re-join. Make sure you remove any entries of the old machine within DNS/DHCP. Link to comment Share on other sites More sharing options...
barry99705 Posted November 20, 2018 Share Posted November 20, 2018 Pretty sure they've fixed it sometime in the last 7 months. Link to comment Share on other sites More sharing options...
Ittechpros Posted November 20, 2018 Share Posted November 20, 2018 That's a fair assumption. But my solution still stands for anyone else who may need help. Link to comment Share on other sites More sharing options...
nickelz34 Posted September 18, 2019 Share Posted September 18, 2019 ^^^^ 👍 Had something similar happen on a NAS Server I needed to update once . It would update most packages from designated repos, but once it got to the ones that were secure connections (SSL), it would fail to download them . After some time passed and other methods where tried all failed. It wasnt until I read installation notes just trying to find anything that could be missed and checking each one. This is when I noticed daylight savings time was set incorrectly as well as date and time . After correction, SSL based repos updated all packages as they were supposed to since they could now properly verify certificates with proper date time. Needless to say "We ALMOST" Re-Imaged this box! Which may have fixed it at the time, since we probably would have done date and time etc upon new install, instead of excitedly clicking through things. But, we would have lost alot of time as well, since alot of data would have been missing with previous image saved . Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.