How Cayosoft Guardian collects forest metadata from Domain Controllers

During forest backup and recovery operations, Cayosoft Guardian gathers domain controller (DC) configuration data to ensure the recovered environment is accurate, consistent, and functionally equivalent to the original forest. This process includes connecting to every DC in the forest, even if the DC is not included in the backup plan.

Why Cayosoft Guardian requires connectivity to all DCs

To successfully restore a forest, Cayosoft Guardian must reconstruct critical metadata that defines the forest’s topology and DC interdependencies. This metadata includes:

• DC-to-DC communication paths
• Operating system version, IP address, and DNS configuration
• Replication-related configuration
• Other low-level parameters that affect recovery behavior

The only reliable and authoritative source for this information is the domain controller itself. Therefore, during the backup process, Cayosoft Guardian connects to each DC in the forest and executes commands to read and save this configuration in the forest metadata.

WinRM transport used for metadata collection

The Forest Recovery Agent collects topology metadata over WinRM and supports two transports: WinRM over HTTP (port 5985) and WinRM over HTTPS/SSL (port 5986). Both transports are encrypted in transit. The transport is selected by the WinRM transport mode configured for the backup plan (HTTP only, HTTPS only, Auto HTTPS preferred, or Auto HTTP preferred). For details on configuring the transport, see Configure a backup plan.

In the Auto modes, the transport is chosen independently for each DC, so a single backup run can collect metadata from some DCs over HTTPS and others over HTTP. In hardened environments where port 5985 is closed and only port 5986 is available, set the transport to HTTPS only so metadata can still be collected from every DC.

NOTE: If a DC is reachable only over a transport that is not enabled for the plan, Cayosoft Guardian cannot collect that DC's configuration, and forest metadata becomes incomplete — with the same consequences described above for an offline DC. The transport used (and any fallback) is recorded per DC in the backup plan execution history.

How credential configuration impacts metadata collection

If the backup plan is switched to use a group Managed Service Account (gMSA):

• The gMSA may be permitted only on specific hosts.
• It may not have permissions or delegation paths needed to access all DCs in the forest.
• Cayosoft Guardian may lose the ability to query DCs that are not part of the backup plan.

If agents are reinstalled and credentials are entered manually, instead of using centralized credentials:

• There is no longer a central credential store that can be used to authenticate to other DCs.
• Cayosoft Guardian cannot connect to DCs outside the backup plan.
• The code that collects metadata from all DCs may be skipped entirely.

While skipping this step may avoid a specific scenario where a down DC blocks the process, it introduces the risk of incomplete forest metadata, which can reduce recovery accuracy and reliability.