Configure a backup plan

This article describes some of the best practices for Backup Plan management.

Review the Forest Recovery: Create and run backup plans article and make sure that backup plans have been properly configured in Cayosoft Guardian to protect your Active Directory forest from forest-wide failures. A Backup Plan is a job with a schedule, a list of domain controllers to back up, and connected Backup Locations to which backups will be copied.

Cayosoft Guardian uses agents to back up and recover domain controllers in the Active Directory forest. The agent is a Cayosoft Guardian component deployed automatically on managed machines, such as the machines in the recovery site or domain controllers to be backed up. The Agents Management node shows agents that previously communicated with the Cayosoft Guardian Server.

Learn more about agent management in the following article: Manage agents.

Domain controllers can be added to a backup plan

According to Microsoft's best practices, at least two domain controllers in each domain should be backed up regularly.

IMPORTANT: Cayosoft Guardian requires only one valid backup of an Active Directory domain controller to recover a domain. Still, it is strongly recommended that at least two domain controllers be backed up for redundancy.

Domain controllers holding PDC FSMO roles are prioritized for backups because they usually contain the most up-to-date information in their Active Directory database. This prioritization does not affect the recovery process. During recovery, the first restored domain controller will seize the FSMO roles, and a backup from any domain controller can be utilized.

NOTE: Cayosoft Guardian automatically excludes RODC(s) (read-only domain controllers) from the backup plan.

To edit the list of domain controllers in the backup plan:

1. Open the Cayosoft Guardian web portal.
2. Expand the Forest Recovery node.
3. Click on the Backup Plans node.
4. Select your backup plan and click Properties.
5. Switch to the Domain Controllers tab.
6. Use Add and Delete actions to select domain controllers to be backed up.

Frequency of backing up domain controllers

When devising a backup plan for Active Directory, several changes and factors must be considered. In most cases, it is recommended to perform daily backups of domain controllers.

Use the following criteria to determine the frequency of your backups:

1. Small environments with a single domain controller in the forest or domains that exist in a single physical location (that is, domains with a single point of failure): create backups at least daily.
2. Medium (10 to 49 domain controllers) and large environments (50 to 1,000 or more domain controllers): Create backups of each unique directory partition in the forest on two different computers at least daily with an emphasis on backing up application directory partitions, empty root domains, domains in a single geographic site, and sites that have large populations of users or that host mission-critical work.
3. Make backups with increasing frequency until you are confident that losing the objects created or modified since the last backup will not disrupt your operations. Major environmental changes should always be immediately followed by a new system state backup.
4. Consider using the continuous data protection feature in Cayosoft Guardian to afford to back up less frequently and restore from Change History.

Managing the advanced settings of a backup plan

Advanced settings of a backup plan allow fine-tuning of your backup plan.

Use Controllers to back up in parallel to change the number of simultaneously backed-up domain controllers to optimize network bandwidth and backup process duration or to meet network storage requirements related to many allowed connections.

Use Agent deployment settings to change how agents will be deployed or updated within a backup plan execution. Learn more about agent management in the following article: Manage agents.

1. Open the Cayosoft Guardian web portal.
2. Expand Forest Recovery node.
3. Click Backup Plans.
4. Select your backup plan and click Properties.
5. On the Settings tab, select Backup AD DC action in the Workflow steps table.

6. Edit settings if necessary.

Configuring the WinRM transport for AD topology collection

During backup, the Forest Recovery Agent connects to all domain controllers in the forest over WinRM to collect AD topology metadata used during recovery. You can control which WinRM transport the agent uses.

To configure the WinRM transport for a backup plan:

1. Open the Cayosoft Guardian web portal.
2. Expand the Forest Recovery node.
3. Click Backup Plans.
4. Select your backup plan, and then click Properties.
5. On the Settings tab, configure the WinRM transport options described below.

WinRM transport mode — Selects how the Forest Recovery Agent connects to each domain controller:

• HTTP only — Connect over port 5985 only. This is the default and matches the behavior of earlier releases.
• HTTPS only — Connect over port 5986 only. Use this mode in environments where port 5985 is closed and only WinRM over SSL is available.
• Auto (HTTPS preferred) — Try HTTPS, port 5986, first on each domain controller, and fall back to HTTP, port 5985, if HTTPS is unavailable. This mode is recommended for forests with a mix of domain controllers.
• Auto (HTTP preferred) — Try HTTP, port 5985, first on each domain controller, and fall back to HTTPS, port 5986, if HTTP is unavailable.

In both Auto modes, the transport is decided per domain controller. As a result, one backup run may use HTTPS for some domain controllers and HTTP for others. Each fallback is recorded in the execution history with the domain controller name and reason.

• HTTPS port — Specifies the port used for the HTTPS transport. The default port is 5986.
• Skip certificate validation — When connecting over HTTPS, Cayosoft Guardian validates the TLS certificate presented by each domain controller's WinRM HTTPS listener. Enable this option for environments that use self-signed or non-standard certificates. By default, this option is disabled and certificate validation is enabled.
• Certificate thumbprint trust list — Specifies an optional list of certificate thumbprints to trust without disabling certificate validation entirely.
• Per-DC transport override — Optionally assigns an explicit transport to individual domain controllers or domain controller groups. When configured, the override takes precedence over the backup plan's transport mode. This is useful when you already know that a domain controller does not have an HTTPS listener and want to avoid an unnecessary connection attempt and timeout.

These settings can be applied per backup plan or globally for all Forest Recovery Agent operations.

Using backup encryption

Prerequisites

The BitLocker feature must be enabled on all domain controllers in the backup plan. The following Microsoft article explains how to install BitLocker on a Windows Server: Install BitLocker on Windows Server.

Cayosoft Guardian automatically enables the BitLocker Drive Encryption Windows feature on domain controllers if the feature is not already enabled. Guardian does not automatically encrypt existing domain controller drives. If backup plan execution history contains an error related to the BitLocker Drive Encryption feature installation, you might need to restart the domain controllers to complete the installation.

Configure backup plan

Cayosoft Guardian allows protecting backup files at rest using BitLocker. By default, encryption is enabled, and users are now required to input the backup password. This password will be used to encrypt backups with BitLocker. To simplify the recovery process, it is recommended to use the same password in all backup plans. For security reasons, after leaving this form, you cannot access the password's value. Copy the password and save it in a secure location, as it will be needed to access your backups in a disaster recovery scenario.

During the backup plan execution, Cayosoft Guardian creates a Hard Disk Image File (.vhdx) on the specified backup location and encrypts it using BitLocker technology.

Learn more about BitLocker technology in the following Microsoft article: BitLocker - Device encryption.

NOTE: Store your passphrase securely. Without it, you cannot access your backups or perform a recovery. Learn more about BitLocker passphrases in the following article: How Cayosoft Guardian manages BitLocker passphrases .

To disable backup encryption in the backup plan:

1. Open the Cayosoft Guardian web portal.
2. Expand Forest Recovery node.
3. Select the Backup plans node.
4. Select your backup plan.
5. Click Properties.

6. Click the Configure encryption button and disable the Enable backup encryption

   checkbox.

Assigning a managed host to a backup plan

In some environments, you may encounter machines with the same name managed by Cayosoft Guardian.

For example, if a machine named DC1 was originally in a source test lab environment and then recovered to a remote recovery site in Entra ID, Cayosoft Guardian will not continue to back up DC1. This will cause the backup plan to fail with an error. To back up managed hosts with the same name, you must manually assign these hosts to the backup plan.

To assign a managed host to a plan perform the following steps:

1. Open the Cayosoft Guardian web portal.
2. Expand the Forest Recovery node.
3. Click Backup Plans.
4. Select your backup plan and click Properties.
5. Select a domain controller on the Domain Controllers tab and click Properties.

6. Browse for Source Host.