Skip to main content

Articles in this section

See more
Print

Forest Recovery Settings

  • Updated

Forest Recovery settings

Validate Guardian service certificate on the agent side

Enable this option to enforce certificate validation for secure communication between the Guardian service and the Forest Recovery Agent. When this option is enabled, the agent validates the service certificate before establishing the connection.

Recommended: Keep this setting enabled to protect the integrity of agent communication during recovery.

Directory connection mode for the Forest Recovery Agent

This setting controls how the Forest Recovery Agent connects to domain controllers when collecting recovery metadata, including domain controller inventory, SYSVOL, DFSR, RID pool, and FSMO role information.

Unlike a simple on/off switch, the connection behavior is selected from one of the following modes:

ModeBehavior
LDAP (default) The agent connects using standard LDAP with signing and sealing, which provides secure authentication over the standard directory port. No TLS/SSL transport is used.
LDAPS The agent connects over LDAPS using ADSI with AuthenticationTypes.SecureSocketsLayer. If the secure connection cannot be established, the operation fails. There is no fallback.
LDAPS with fallback The agent first attempts an LDAPS connection. If the secure connection fails, it automatically falls back to signed and sealed LDAP and logs a warning.

Choosing a mode

Use LDAPS in environments where:

  • Group Policy enforces LDAP channel binding and signing. For more information, see Microsoft ADV190023.
  • Plaintext or standard-port LDAP is blocked at the firewall or disabled on the domain controller.
  • Organizational policy requires all directory traffic to be TLS-encrypted, with no fallback permitted.

Use LDAPS with fallback in mixed environments where some domain controllers accept secure LDAPS connections and others do not. The agent uses LDAPS where possible and falls back where necessary, recording each fallback in the log.

Use LDAP, the default mode, where signed and sealed LDAP is sufficient.

Certificate handling for LDAPS

When LDAPS is used, the ADSI connection relies on the operating system's certificate validation. For the connection to succeed, the issuing CA chain must be present in the Trusted Root Certification Authorities and Intermediate Certification Authorities stores on the Forest Recovery Agent host.

There is no in-product option to bypass or skip LDAPS certificate validation.

Note: The certificate-skip options that exist in the agent, such as CA check, common-name check, and revocation check, apply to the agent's PowerShell remoting session over WinRM. They do not apply to the LDAPS directory connection described in this section.

Verifying connection behavior in the Agent log

In LDAPS with fallback mode, when a secure connection cannot be established, the agent records a warning similar to the following:

LDAPS connection to {path} failed, falling back to LDAP

In LDAPS mode, when fallback is not enabled, a failed secure connection is recorded as an error similar to the following:

 

Recovery site storage account network access

When Cayosoft Guardian creates an Azure recovery site, it provisions a temporary storage account, also called the recovery site storage account. This storage account is used to stage backups, upload and install agents on the site's virtual machines, and retrieve agent logs.

Public network access to this account is enabled while the site is being deployed or is running, and disabled after the site is shut down.

These settings let you restrict the scope of public access so that the temporary storage account is reachable only from known hosts and networks.

SettingDefaultDescription
Restrict public network access to recovery site storage accountsDisabled When enabled, Guardian limits public access on the temporary storage account to the addresses and networks defined below, plus the recovery site subnet and the Guardian host's runtime-resolved public IP address. When disabled, public access is not scoped, which matches legacy behavior, and the two settings below are ignored.
IP addresses allowed to access storage accountsEmpty A list of IPv4 addresses or CIDR ranges that identify the public hosts allowed to reach the storage account, such as the known public address of the Guardian host.
Virtual networks allowed to access storage accountsEmpty A list of Azure VNet subnets allowed to reach the storage account. Use this setting when the Guardian service runs on an Azure VM and IP-based restrictions may not apply. The subnet must have a storage service endpoint enabled.

How scoping is applied

When Restrict public network access to recovery site storage accounts is enabled, Guardian still creates the temporary storage account with public access enabled during deployment, but limits the scope to:

  • The Guardian host's public IP address, resolved at runtime.
  • The IP addresses and ranges configured in IP addresses allowed to access storage accounts.
  • The recovery site subnet.
  • The compatible VNet subnets configured in Virtual networks allowed to access storage accounts.

When the site is shut down, public access to the storage account is disabled. When the site is started again, public access is re-enabled and the scope restrictions are reapplied.

Considerations

  • IP address restrictions may not apply to Azure virtual machines in the same region as the storage account, because those virtual machines can reach storage over the internal Azure network. In this case, use Virtual networks allowed to access storage accounts to grant access by subnet instead.
  • Subnets that are incompatible with the storage account, for example, subnets that do not have the required storage service endpoint or are in a different region, are skipped during recovery rather than reported as errors.

Configuring DSRM administrator logon behavior

To troubleshoot recovered domain controllers remotely when NT Directory Services (NTDS) or related services are not functioning, you can allow logon with a Directory Services Restore Mode (DSRM) account. Remote logon with normal Active Directory accounts is not possible in those states.

The DSRM administrator logon behavior offers the following options:

OptionDescription
DSRM only (default) The DSRM administrator can log on only when the domain controller is operating in DSRM mode.
When the NTDS service is stopped The DSRM administrator can log on when the NTDS service is stopped or when the domain controller is in DSRM mode.
Any time The DSRM administrator can log on at any time.

Interactive RDP logon may not work on Windows Server 2016 for the latter two options. The native Windows RDP client may require entering DSRM credentials twice, with the second entry on the remote login screen, and may require using an admin switch.

Automatically boot in DSRM mode on failure

To improve recovery automation, you can configure a recovered server to boot into DSRM automatically if a normal boot fails.

When this option is enabled, Cayosoft Guardian configures the Boot Configuration Data (BCD) before rebooting. Cayosoft Guardian creates a dedicated DSRM boot entry with safeboot dsrepair and sets it as the recovery sequence. If the first boot attempt fails, the system boots into DSRM on the next attempt.

© Copyright 2013-2026 Cayosoft Inc. All rights reserved.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request
Return to top

Related articles

Comments

0 comments

Please sign in to leave a comment.