Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Encrypt Active Directory Database with Secure Start

Encrypt by Moving the AD Service into a Guarded Directory

search

Please Note:

Encrypt by Moving the AD Service into a Guarded Directory

You can move the AD service into a directory protected by a standard or LDT production policy. This method does not require the initial data transformation step. When you move the AD service into this directory, CTE immediately encrypts the data with either policy.

Note

This step occurs when the system is in DSRM mode, so users have no access to the AD service.

Create the AD GuardPath directory

Create the directory in which the AD service will reside.

  1. Log in to the Active Directory Server in DSRM mode using the DSRM password. User ID is Administrator.

  2. Create a folder to which you will move the AD database.

Apply Secure Start GuardPoints to a Directory with CipherTrust Manager

To apply Secure Start GuardPoints in CM:

  1. In the CipherTrust Manager Applications Page, click CTE > Clients > <clientName>.

  2. Click Create GuardPoint.

  3. In the Policy field, select a policy.

  4. Set Type to Auto Directory.

  5. Click Browse, navigate to, and select, the folder that you just created for the AD database.

  6. Select the option: Secure Start.

  7. Click Create.

  8. Click No to the question, "Would you like to use these GuardPoint settings on another GuardPoint with a different path?" because you are only guarding the AD database.

Verify the Secure Start GuardPoint with CLI

After the policy is pushed to the Active Directory Server, verify the GuardPoints.

To verify the GuardPoints, type:

 voradmin ss verify <GuardPoint_path>
Successfully completed the command verify
Success from kernel -Successfully verified the secure start GP

Move the AD Database into the Secure Start GuardPoint

Move your AD database from the default location (c:\windows\NTDS) to this newly created protected folder. To move the AD database:

  1. In DSRM mode, login using the DSRM password. User ID is Administrator.

  2. Start NTDSUTIL utility, type:

     activate instance ntds

    1. Type:

      files

  3. Type:

     move db to \<GuardPoint>

  4. Type:

     move logs to \<GuardPoint>

  5. Exit NTDSUTIL utility.

  6. Reboot the system into normal mode. The Active Directory Services automatically starts after rebooting.

    Note

    This step occurs when the system is in DSRM mode, so users have no access to the AD service.

On this page