Decrypting with LDT in an Exchange DAG Environment
Prerequisites
-
Make sure that the LDT state is set to REKEYED before unguarding.
-
Make sure that all of the files inside the GuardPoint are at the same version of the key.
-
Run the LDT report to find the version:
voradmin ldt report <GuardPoint path> [<logfile>]
-
Run the Key map report to find the version:
voradmin ldt key [report|map] <key_name, version> <GuardPoint path>
-
Procedure
-
Make sure that all of the Exchange services in node 2 are down and not accessing the Exchange databases.
Note
Suspension can take 2-3 Minutes.
-
In the Exchange Admin Center, make Exchange node 1 the primary node.
This means that node 1 is mounted as the active node and node 2 is mounted as the passive node.
-
Make all of the databases active on Exchange node 1.
-
Go to the Exchange Database tab and suspend all databases on node 2.
-
Unguard the database folders that you previously guarded on node 2.
-
Delete all of the metadata on all of the database folders on node 2, type:
voradmin ldt attr delete [<file name path> | <guard path>]
-
Guard with an LDT policy set for Encryption to Clear on node 2.
Note
You must clone the current version of the encryption key to use as the current key in the new LDT policy and
clear_key
as the transformation key. -
Go to the Exchange Database tab and resume all databases on node 2.
Note
After a few minutes, the databases should become healthy automatically. If not, wait for the LDT process to decrypt the data. Make sure that all of the data is transformed back to clear and that the LDT state is set to REKEYED.
-
Move the database from node 1 to node 2.
-
Repeat this procedure for node 1.
-
After both nodes are rekeyed and transformed from encryption to clear, unguard them:
-
In the Exchange Admin Center, make Exchange node 1 the primary node.
This means that node 1 is mounted as the active node and node 2 is mounted as the passive node. 2. Make all of the databases active on Exchange node 1.
-
Go to the Exchange Database tab and suspend all databases on node 2.
-
Unguard the database folders that you previously guarded on node 2.
Warning
Always ensure that you are unguarding a passive node.
-
Repeat this procedure for Node 1.
-