Domain Controller infected ransomware


  • Hello There...

    I have 6 Domain Controller, and my domain controller infected ransomware (.wallet file) that placed in Sysvol Folder..

    and replicated to all domain controller.

    1. How to make sysvol folder fresh like a new domain controller ?

    2. Please advise.

    Thank You in Advance.

    Monday, February 13, 2017 9:44 AM

All replies

  • delete all .wallet files and restore from backup to the DFS namespace

    e.g. \\\sysvol

    Monday, February 13, 2017 9:49 AM
  • Hi

     You can perform D2/D4 restore from a successfull backup,check the article for process;

    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Monday, February 13, 2017 10:49 AM
  • Hi,

    I am checking how the issue going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    Friday, February 17, 2017 9:12 AM
  • Just finished a cleanup job from a ransomware that infected the SYSVOL of a domain.

    Hopefully you have a backup of the SYSVOL folder, which should be included with a backup of the System State. Assuming you do, you need to stop the File Replication Service (NTFRS) on all but the one DC you're restoring the SYSVOL to. Then, with the NTFRS service still stopped on the other DCs, set their registry to a non-authoritative restore before starting the NTFRS service. That way they'll pull good SYSVOL information from the healthy server.

    For more info on authoritative/non-authoritative SYSVOL restores, see

    Sunday, May 21, 2017 2:25 AM