Encrypt Data in Place with Offline Transformation
Encrypting the AD database with a standard (production), or offline policy is very similar to encrypting other data with a standard (production), or offline policy.
The advantage to encrypting data in place is that it saves space. When you copy/move a directory into a guarded directory, you will need twice as much space to store the data because you leave a copy of the data in the original folder, as a precaution, until the original directory has been successfully moved and encrypted. Once the data is transformed, then you can delete the directory that contains the decrypted/clear data.
Using this method, you perform an Initial Data Transformation using the dataxform command line utility. During this transformation, access to the GuardPoint data is blocked. After initial transformation, you remove the initial policy, and then apply a production policy, so users can access the data.
Note
This step occurs when the system is in DSRM mode, so users have no access to the AD service.
If your AD service is installed in the default directory, C:\Windows\NTDS, you must move it to another directory before you can encrypt it. See Encrypt by Moving the AD Service into a Guarded Directory for more information.
To encrypt the data:
-
In DSRM mode, login using the DSRM password. User ID is Administrator.
-
Create and apply a
dataxformpolicy to the GuardPoint directory. -
Run the
dataxformcommand. -
Remove the
dataxformpolicy on the GuardPoint and replace it with a production policy. -
Reboot out of DSRM mode.
