Primary-DR post-install tasks

This topic describes tasks that you perform after the Primary-DR installation.

Harden the Vault manually

Perform the following tasks to increase the security of the Vault server:

• Change the Administrator user password

• Rename the built-in Administrator user

These tasks must be performed after you restart the Vault server.

Change the Administrator user password

The hardening process updates the password policy of the Windows operating system as a security best practice. Change the administrator user password so that it adheres to the rules of the new policy.

Rename the built-in Administrator user

Renaming the built-in Administrator user is a security best practice.

Harden the Vault machine

To follow security best practices, we recommend that you rerun the hardening of the Vault server. For more information, see CAVaultHarden utility.

Customize the hardening configuration (optional)

You can customize the hardening configuration to meet your organization's policies. For more information, see CAVaultHarden utility FAQs.

Verify network access between the Vaults

For replication, failover, promotion, and failback

Network access to port 1858 is required between all Vaults.

• Run the following Powershell command from each Vault to all of your other Vaults: 

  Test-NetConnection <IP Address> -port 1858 | findstr "TcpTestSucceeded"

  For example:

  • From Vault 1 to Vaults 2 and 3

  • From Vault 2 to Vaults 1 and 3

  • From Vault 3 to Vaults 1 and 2

  The result should be: TcpTestSucceeded : True

  If the result is False, there is a blockage in the firewall (machine/environment).

Configure time synchronization on the Vault Server using NTP

The Vault must be synchronized with the organization’s NTP server.

AllowNonStandardFWAddresses=[X.X.X.X,Y.Y.Y.Y,Z.Z.Z.Z],Yes,123:outbound/udp

Where X.X.X.X, Y.Y.Y.Y, Z.Z.Z.Z and so on are the Time Server IP addresses and port 123 is the Windows Time port.

After configuring the NTP settings and registration keys (refer to the Microsoft documentation for details), you must set the Windows Time service to Automatic (Delayed start) and start it in order for the settings to take effect.

After defining the NTP, ensure that the last synced time source lists the IP address of one of your defined NTP servers. If it does not, then there may be firewall issues or the sync process did not run successfully.

Enable the Disaster Recovery user

The Disaster Recovery User (DR User) is a predefined user that is added automatically as an owner to every Safe, and only has the access rights required to replicate the Safes. The predefined DR User makes it easier to replicate your data to the Disaster Recovery Vault.

When the DR user is created during installation, the DR User account is disabled. Before using the DR User, enable it in the Primary Vault and update its password.

Specify how frequently the DR Vault will be updated

The DR parameter file determines how frequently the Production Vault will be replicated to the DR Vault. When you set these parameters, take into consideration that the more frequently a replication is performed, the less chance there is that information will be lost if the Production Vault stops suddenly. On the other hand, constant replications use Vault resources and may affect other Vault tasks.

Hide the Vault users hierarchy

Configure the DR Remote Administration Agent

As a part of the DR Vault installation, the Remote Control Agent is installed and configured automatically. You can use remote administration features immediately after installation. For more information about Remote Administration, see Install remote administration clients.

For information about configuring the Remote Control Agent manually, see Remote Control Client.