Description:
You have a security incident in Active Directory where a ransomware attack encrypt your VCenter infrastructure. All you have left is a backup from a month before the attack.
Resolution:
Although it's not recommended to use VM Snapshot as your Active Directory backup method, in this situation, you can use what you have at the moment.
You can follow the following high-level guidance.
1. Choose the snapshot from time where the malware or malicious file hasn't entered your production environment.
2. Choose to recover only single Domain Controller from the snapshot. Preferable the one who doesn't hold the Flexible Single Master Operation (FSMO) role. The rest of the DC will be build manually from fresh using AD replication.
3. Perform recovery at isolated network.
4. Make sure the Active Directory recover successfully. Make sure SYSVOL and NETLOGON are shared properly.
5. Seize FSMO to the recovered Domain Controller. Perform metadata cleanup of the rest of DCs.
6. Increase RID pool number.
7. Reset all High Privilege account password twice.
8. Update security patches and Antivirus.
9. Connect new Domain Controller to the production network.
10. Re-create Users or Re-join Computer as needed.
11. Continue building new Domain Controller from clean machine as needed.
Note*:
The guidance assume you are able to get the snapshot from the time before the attack occur. Sometimes this attack could start many months in advance which make recovering from snapshot have less benefit.
