What should I do if a domain controller is stolen?
If I have a Windows 2008 or 2003 domain controller in a remote office (and its own AD site) that gets stolen, what sorts of things should I do to my main network or domain (if anything) in response?
The VPN is keyed off of the IP address of the network so there's nothing that would allow them to gain remote access to the primary network. I assume, at a minimum, I'd want everyone to change their passwords, but what else?
Solution 1:
Microsoft has some recommendations for what to do if a read-only DC is stolen. I don't think they go far enough, though. I lean more toward the approach described here. The big enchilada IMHO is to make sure that you immediately force password changes for all domain accounts; that will go a long way towards reducing the impact.
Solution 2:
Like the person said, change all passwords immediately. Also use NTDSUTIL and forcibly remove all traces of it from your AD. It may sound a bit extreme, but changing the site in question to a different IP subnet might not be a bad idea too.