Encrypt by Moving the AD Service into a Guarded Directory
You can move the AD service into a directory protected by a standard or LDT production policy. This method does not require the initial data transformation step. When you move the AD service into this directory, CTE immediately encrypts the data with either policy.
This step occurs when the system is in DSRM mode, so users have no access to the AD service.
Create the AD GuardPath directory
Create the directory in which the AD service will reside.
-
Log in to the Active Directory Server in DSRM mode using the DSRM password. User ID is Administrator.
-
Create a folder to which you will move the AD database.
Apply Secure Start GuardPoints to a Directory with CipherTrust Manager
To apply Secure Start GuardPoints in CM:
-
In the CipherTrust Manager Applications Page, click CTE > Clients > <clientName>.
-
Click Create GuardPoint.
-
In the Policy field, select a policy.
-
Set Type to Auto Directory.
-
Click Browse, navigate to, and select, the folder that you just created for the AD database.
-
Select the option: Secure Start.
-
Click Create.
-
Click No to the question, "Would you like to use these GuardPoint settings on another GuardPoint with a different path?" because you are only guarding the AD database.
Verify the Secure Start GuardPoint with CLI
After the policy is pushed to the Active Directory Server, verify the GuardPoints.
To verify the GuardPoints, type:
voradmin ss verify <GuardPoint_path>
Successfully completed the command verify
Success from kernel -Successfully verified the secure start GP
Move the AD Database into the Secure Start GuardPoint
Move your AD database from the default location (c:\windows\NTDS
) to this newly created protected folder.
To move the AD database:
-
In DSRM mode, login using the DSRM password. User ID is Administrator.
-
Start NTDSUTIL utility, type:
activate instance ntds
-
Type:
files
-
Type:
move db to \<GuardPoint>
-
Type:
move logs to \<GuardPoint>
-
Exit NTDSUTIL utility.
-
Reboot the system into normal mode. The Active Directory Services automatically starts after rebooting.
This step occurs when the system is in DSRM mode, so users have no access to the AD service.