How Cayosoft Guardian collects forest metadata from Domain Controllers

During forest backup and recovery operations, Cayosoft Guardian gathers domain controller (DC) configuration data to ensure the recovered environment is accurate, consistent, and functionally equivalent to the original forest. This process includes connecting to every DC in the forest, even if the DC is not included in the backup plan.

Why Cayosoft Guardian requires connectivity to all DCs

To successfully restore a forest, Cayosoft Guardian must reconstruct critical metadata that defines the forest’s topology and DC interdependencies. This metadata includes:

• DC-to-DC communication paths
• Operating system version, IP address, and DNS configuration
• Replication-related configuration
• Other low-level parameters that affect recovery behavior

The only reliable and authoritative source for this information is the domain controller itself. Therefore, during the backup process, Cayosoft Guardian connects to each DC in the forest and executes commands to read and save this configuration in the forest metadata.

If any domain controller in the forest is offline during backup, even if it is not part of the backup plan, Guardian cannot collect the configuration for that DC. As a result:

• Forest metadata becomes incomplete.
• The recovery engine cannot fully reproduce the forest's original topology.
• In certain cases, this can lead to forest recovery failure.

Although the missing configuration may not always cause a critical fault, internal testing shows that it can result in unexpected inconsistencies or side effects, such as mismatched metadata or topology differences in the recovered forest.

How credential configuration impacts metadata collection

 

If the backup plan is switched to use a group Managed Service Account (gMSA):

• The gMSA may be permitted only on specific hosts.
• It may not have permissions or delegation paths needed to access all DCs in the forest.
• Guardian may lose the ability to query DCs that are not part of the backup plan.

If agents are reinstalled and credentials are entered manually, instead of using centralized credentials:

• There is no longer a central credential store that can be used to authenticate to other DCs.
• Cayosoft Guardian cannot connect to DCs outside the backup plan.
• The code that collects metadata from all DCs may be skipped entirely.

While skipping this step may avoid a specific scenario where a down DC blocks the process, it introduces the risk of incomplete forest metadata, which can reduce recovery accuracy and reliability.