Creating a LDT GuardPoint for DFS(R)
Before you can create an LDT GuardPoint, you must set LDT to ignore the DFS(R) private directory that Microsoft automatically creates when you create a DFS(R) replication point. The private directory should not be encrypted by LDT.
-
Log into one of the DFS(R) servers in your network as an administrator.
-
For each GuardPoint that you intend to set up on the server, exclude the matching
DfsrPrivate
directory from the LDT process using thevoradmin ldt exlist add <guard path>
command.For example, if you are going to guard
D:\data, G:\HR Files
, and the entireF:
drive, you would use the following commands:voradmin ldt exlist add D:\data\DfsrPrivate voradmin ldt exlist add G:\HR Files\DfsrPrivate voradmin ldt exlist add F:\DfsrPrivate
To make sure LDT is ignoring the proper directories, use the
voradmin ldt exlist get
command:voradmin ldt exlist get Live Data Transformation exclusion list. Following ${gp}s will be excluded from the Live Data Transformation. G:\HR Files\DfsrPrivate D:\data\DfsrPrivate F:\DfsrPrivate
-
Reboot all of the LDT agent hosts before you create any LDT GuardPoints.
-
Repeat the previous steps on each server in your configuration before you create any LDT GuardPoints.
-
After you have excluded all
DfsrPrivate
directories on all servers from LDT processing, log into your key manager and set your LDT properties. When you begin the initial encryption, Thales recommends that you throttle the LDT processing speed with a CPU cap of 20%. You can increase this cap as more of the data is encrypted and there are fewer deltas between the DFS staging area and the production area.To set the cap, launch the CTE application and create a Profile with the appropriate Quality of Service configuration parameters. Then make sure that all clients in the DFS(R) configuration use that profile.
-
Create the required LDT GuardPoints using the Live Data Transformation policy you created.
Create the same set of GuardPoints, using the same Live Data Transformation policies, on each server in the configuration. For example, if you set up the following GuardPoints for the first server:
Guard Path LDT Policy Name D:\data
LDT-Policy-Main D:\data\DfsrPrivate
LDT-Policy-Main F:\
LDT-Policy-Main F:\DfsrPrivate
LDT-Policy-Main G:\HR Files
LDT-Policy-HR G:\HR Files\DfsrPrivate
LDT-Policy-HR You must then set up the same six GuardPoints, using the same two LDT policies, on each server in the configuration.