Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Encrypt Active Directory Database with Secure Start

Encrypt by Moving the AD Service into a Guarded Directory

search

Please Note:

printsuggest an editpdf paneldownload

Encrypt by Moving the AD Service into a Guarded Directory

You can move the AD service into a directory protected by a standard or LDT production policy. This method does not require the initial data transformation step. When you move the AD service into this directory, CTE immediately encrypts the data with either policy.

Note

This step occurs when the system is in DSRM mode, so users have no access to the AD service.

copy link to clipboardCreate the AD GuardPath directory

Create the directory in which the AD service will reside.

  1. Log in to the Active Directory Server in DSRM mode using the DSRM password. User ID is Administrator.

  2. Create a folder to which you will move the AD database.

copy link to clipboardApply Secure Start GuardPoints to a Directory with CipherTrust Manager

To apply Secure Start GuardPoints in CM:

  1. In the CipherTrust Manager Applications Page, click CTE > Clients > <clientName>.

  2. Click Create GuardPoint.

  3. In the Policy field, select a policy.

  4. Set Type to Auto Directory.

  5. Click Browse, navigate to, and select, the folder that you just created for the AD database.

  6. Select the option: Secure Start.

  7. Click Create.

  8. Click No to the question, "Would you like to use these GuardPoint settings on another GuardPoint with a different path?" because you are only guarding the AD database.

copy link to clipboardVerify the Secure Start GuardPoint with CLI

After the policy is pushed to the Active Directory Server, verify the GuardPoints.

To verify the GuardPoints, type:

voradmin ss verify <GuardPoint_path>
Successfully completed the command verify
Success from kernel -Successfully verified the secure start GP

copy link to clipboardMove the AD Database into the Secure Start GuardPoint

Move your AD database from the default location (c:\windows\NTDS) to this newly created protected folder. To move the AD database:

  1. In DSRM mode, login using the DSRM password. User ID is Administrator.

  2. Start NTDSUTIL utility, type:

    activate instance ntds

    1. Type:

      files

  3. Type:

    move db to \<GuardPoint>

  4. Type:

    move logs to \<GuardPoint>

  5. Exit NTDSUTIL utility.

  6. Reboot the system into normal mode. The Active Directory Services automatically starts after rebooting.

    Note

    This step occurs when the system is in DSRM mode, so users have no access to the AD service.

On this page