clone made with acronis reverting back
i am having a very hard time wrapping my head around this. what i've done was this: i have a lab with 15 desktops and 15 laptops. every year, the autocad expires and has to be uninstalled and the new stuff installed. they are all running xp and it is on a domain with server 2008 r2. i got one box up like i wanted, completely updated and cleaned off. we use deepfreeze, so there wasn't much wrong anyway. i then used that as the master and used acronis, can't remember which version, i think it was 2011 or something. i cloned each desktop and installed the software on the laptops individually; the laptops only took about 20 minutes to install, well worth the time savings of not removing the hard drives. i did not sysprep any of the machines
.
everything was fine for about three weeks, then one of the desktops booted back the way it was with the old software installed. if i had not been looking at it, i would have laughed and said it's impossible. am i missing something here about the way acronis clones or is someone messing with me? i thought that the data was copied from one to another and there was no way for it to revert back. i forgot to mention that after the systems were set up and cloned, i got hacked. at least that's what i think happened or maybe a virus that erased all the files that weren't in use at the time and hosed my active directory so bad that i had to put the new server in.
the wierd thing about that is that my h, p, and t drives(all that were there) are now missing and there is a 160 gb .esq file there. that's about the size of the data i'm missing and that is a file created by a pfaff embroidery machine, there are none of those in the county. logging was disabled for remote entry, and since i'm the new admin for this system and the documentation sucks here, so there was no way for me to know if it was disabled by the previous admin or turned off after the logs were wiped by the attacker. or it may have been a virus, probably not related, but worth mentioning.
anyway, any help figuring this out would be comforting. with all of the problems i'm having in this one room, it would sure be nice to be able to know someone is messing with the machines so i can stop it instead of wasting time. thanx.
looked at it and it was acronis backup and recovery 11.5. on the server, the drive had logical partitions with different letters, h drive was for students and teachers data, f drive was for apps and icons, and c drive was for system files. i don't think the hack or loss of data was related, just mentioned because it may have been. i happened to be sitting at a computer when the students in the room said they couldn't access their h drive folders. when i looked, the h and f drives were gone. upon investigation, we found numerous failed login attempts from two computers in the school on an admin account at different ports, i think they started with 1100 or something and went one by one up to 1300 something. there was about 5 attempts per second, trying to use the admin login. we determined that it could have been a virus or a hacker using some sort of tool to get access. it took out all the files which were not in use at the time. it hosed my active directory so bad that i had to put a new server online, turns out that the last backup was from feb 2010. i was going to switch to the new server over xmas break, but had to do it early.
not sure if it was related, but full disclosure dictates that everyone has all the information needed to solve this problem i'm having. i can't find any technical description of how acronis clones a hard drive, but i am assuming that it copies the data from one hard drive to the other, thus overwriting the old data, and nothing should be left on the clone, no way for it to revert. now i could be wrong on this, that is why i need some help on this one.