I have a perplexing problem on a test network I have. It was the victim of a ransomware attack recently but, being a test network, all of the encryption didn't really cause a problem. However, none of the DC's work now. If I try to open any of the AD** utilities, they tell me that the domain doesn't exist. After some initial troubleshooting, I discovered that the SYSVOL and NETLOGON shares had been deleted. The strange part is that I copied the vhdx file for a DC on another network and spun it up as the only running DC on the network. Its shares ended up deleted as well. Even after manually recreating the shares and rebooting, the shares were gone again.
So, what would cause these shares to be deleted? Since this is the only DC on the network now, it can't be a replication or GPO issue. DNS appears to be solid so it can't be the problem, either. Scratching my head...