+ Reply to Thread
Results 1 to 10 of 10
  1. Senior Member
    Join Date
    May 2006
    Location
    Manchester England
    Posts
    179

    Certifications
    CCNA - Cisco Academy Grad. MCTS Vista Config. ITIL V3.
    #1

    Default Active Directory 2003; VANISHING USER OBJECTS!!!

    Good Evening All,

    Active directory is not my area... AT ALL. I carry out administration within AD 2003 and that's where my involvement in my corporate environment starts and ends. Recently, for no apparent reason what-so-ever about 35% of our user accounts vanished from within Active Directory. All within the same domain and from within Mulitple organisational units. The deleted accounts appear completely random and we can't see any pattern! AD is integrated with Exchange and the Exchange accounts were NOT effected. It's also worth mentioning that we recently implemented Cisco Unity Voice Manager solution for user voice mail, that imports user accounts from within AD when first creating the Unity voicemail account. The unity accounts also disappeared for the users who's ad accounts disappeared.

    We have 3 domain controllers upon the same network but are geographically separated, that were all effected, (one we even had to completely rebuild) that all sync with one another. In the end we contacted microsoft who talked us through doing a state restore using our backups to the primary domain controller and then we sync’d to the other two. Also, a "foot-print" facility that would have given us a clue as to why this occurred in the first place was not activated and isn't activated by default so we're completely clueless as to what created this issue in the first place.

    I’ve searched the internet high and low for possible answers! But found nothing. As I’m the most junior member of the team I’m sure that I’m seen as a possible cause even though I know 110% it had nothing to do with me as I hadn’t access AD or the domain servers for two days prior to the problems and even then it was only to add someone to an organisational unit. There’s nothing obvious in the event logs.

    Has anyone experienced anything similar or have a possible answer? Even a link to a website giving me a clue would be greatly appreciated.

    The board aren’t impressed that we have no explanation what-so-ever as to why we had 6 hours where 35% of the company lost all access to the network and their email.

    Help! 
    Reply With Quote Quote  

  2. SS -->
  3. Junior Member
    Join Date
    Aug 2008
    Location
    Grand Rapids MI
    Posts
    24

    Certifications
    CompTIA A+, MCP
    #2
    I don't know the answer either, however at my work we've seen AD objects vanish. Users
    had access to certain shares yesterday but the next day the group was missing. I am just on the helpdesk and do not have access to any logs -- but i wouldnt be surprised if it wasnt someone's
    intervention wether it be a script that ran against the AD or something (at least in our case)
    Reply With Quote Quote  

  4. wibble! bertieb's Avatar
    Join Date
    Jun 2007
    Location
    Up and down the UK
    Posts
    1,029

    Certifications
    MCSE:CP&I, SI, MCITPx2, MCSAx2, MCTSx7, VCP6/5/4/3(DCV), EMCISA, Sec+, ITILv3F, legacy MS
    #3

    Default Re: Active Directory 2003; VANISHING USER OBJECTS!!!

    I've certainly never heard of AD doing that 'on it's own' as it were and there's no reason it should without a little prompt from an external source ......it sounds like a dodgy script or someone's mistake (potentially malicious....)

    If you've no audit logging going on for the systems then I'd say it'll be impossible to nail the root cause, though I'd expect one of the AD superheroes on here (hero/royal to name a couple) may chime in with some advice.

    Unlucky, I work in Manchester too so it was probably you I heard screaming from my office
    Reply With Quote Quote  

  5. Senior Member
    Join Date
    Jun 2007
    Location
    Atlanta, GA
    Posts
    212

    Certifications
    MCSE 2003, MCSA 2003, A+, Network+, Security+, MCTS Windows 7
    #4
    Is your exchange server also one of the domain controllers?
    Reply With Quote Quote  

  6. MIPS processor please Mishra's Avatar
    Join Date
    Feb 2007
    Location
    Ashburn, VA
    Posts
    2,468

    Certifications
    MCSA:2012, MCITP:EA/SA, MCSE 2003, MCTS: Vista, VCP4, AAS
    #5
    So you did a restore of the user objects and everything seems to be working just fine now?
    Reply With Quote Quote  

  7. MIPS processor please Mishra's Avatar
    Join Date
    Feb 2007
    Location
    Ashburn, VA
    Posts
    2,468

    Certifications
    MCSA:2012, MCITP:EA/SA, MCSE 2003, MCTS: Vista, VCP4, AAS
    #6
    One place you might want to start looking is in your AD replication.

    Were the users accounts that were deleted all "new" (meaning there were no users deleted that are the oldest accounts) users to your corporation?
    Reply With Quote Quote  

  8. Senior Member
    Join Date
    May 2006
    Location
    Manchester England
    Posts
    179

    Certifications
    CCNA - Cisco Academy Grad. MCTS Vista Config. ITIL V3.
    #7
    Hi guys,

    Many thanks for your responses!

    Exchange and DC's are on separate servers.

    We restored the objects and all was working fine in that users could connect to the network again. As one of the domain servers had to be completely rebuilt there were other area's that suffered as a consequence... i.e VPN and OWA.

    The cisco unity accounts didn't reappear, which my colleague is currently running through with NTL (the providers of our current Cisco telecomm's solution).

    Matt
    Reply With Quote Quote  

  9. Senior Member
    Join Date
    Mar 2006
    Location
    London UK
    Posts
    395

    Certifications
    MCSE:Messaging 2003, MCTS:Vista, MCTS EXCH 2007 Config
    #8
    Also, a "foot-print" facility that would have given us a clue as to why this occurred in the first place was not activated and isn't activated by default so we're completely clueless as to what created this issue in the first place.
    I'm assuming your talking about turning on object access auditing in the Domain Controller Security Policy? If the audit Directory Service access option was enabled and the OU SACL in question has 'Delete User Objects' checked for success then I would use

    ldifde -f del.txt -d "CN=Deleted Objects,DC=your,DC=domain,DC=com" -r (objectclass=user) -p subtree -x -l DN

    to export your deleted items container to a file 'del.txt'. Then search for the DN of one of the users in question and use REPLMON's 'Show attribute meta-data for Active Directory Object' option. This will give you the 'isDeleted' attribute and tell you the originating DC and the date and time as long as it's within the tombstone period. Then check the event logs on that DC. I think the event ID is 630 for account deletions if I remember rightly.
    Up Next : Not sure
    Reply With Quote Quote  

  10. Senior Member
    Join Date
    May 2006
    Location
    Manchester England
    Posts
    179

    Certifications
    CCNA - Cisco Academy Grad. MCTS Vista Config. ITIL V3.
    #9
    Yeah this wasn't activated unfortunately... thanks for the response though!
    Reply With Quote Quote  

  11. Senior Member
    Join Date
    Jun 2007
    Location
    Atlanta, GA
    Posts
    212

    Certifications
    MCSE 2003, MCSA 2003, A+, Network+, Security+, MCTS Windows 7
    #10
    This may be completely unrelated to what happened at your work but I have experienced something similar where AD user accounts were automatically deleted. My boss in an effort to minimize downtime while replacing a domain controller/exchange server decided to do it with an image. Not sure what imaging tool was used. So the image was created with the DC was running, image was put on another server, original server brought down, new server brought up. Things seemed to go ok for a few hours but then a couple user accounts in one OU disappeared. We had logging turned on and found that the accounts were deleted due to duplicate SIDs. I don't remember the event ID now. A few minutes later another account in the OU disappears. Then another... Long story short we took down the server and recreated the user accounts from scratch.

    I never found a definitive answer to what happened but my boss didn't know anything about FSMO roles and didn't transfer them when doing this.

    I think what happened may have had something to do with the RID master role but I still don't understand the guts of AD well enough to know what happened here. Or I may be way off. I just know you don't image domain controllers!

    Not sure if this sheds any light on what might have happened to you guys. Here is a link from Microsoft discussing why imaging a DC is a bad idea.

    http://www.microsoft.com/technet/ser....mspx?mfr=true
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks