Bitlocker - Virtual DC's crashing after the encryption

  • 93 Views
  • Last Post 3 days ago
nidhin_ck posted this 10 October 2019

P {margin-top:0;margin-bottom:0;}

Hi Experts,


Im facing issues while encrypting the virtual DC's (ESXi). I mean after the encryption, our DC's are crashing.


We have the below configurations. Please note that we are storing the AD database & logs in different drives

HDD: Single vHD file

Drives: C:\ OS, D: AD Logs, E:\AD Database


Please find the steps which I followed, pls let me know if I need to make any corrections.


  1. Install Bitloker & reboot

  2. Update GPO to allow BitLocker without TPM

      3. Add protectors for C drive & apply boot password 

    Command used:     manage-bde c: -on -encryptionmethod aes256 -Password -RecoveryPassword -RemoveVolumeShadowCopies 

  1. Reboot DC
  2. At this stage, DC will prompt for Bitlocker password and it is booting successfully

     6. After login to DC, Add protectors and encrypt pending drives     Command used:     manage-bde D: -on -encryptionmethod aes256 -Password -RecoveryPassword -RemoveVolumeShadowCopies    7. Enable auto unlock for other Drives (D:, E:)

     Command used:

      manage-bde -autounlock -enable d:

   

After completing the entire encryption process, and if I reboot the DC I could see that the DC is crashing and I will have to decrypt the entire Drives to login.



Order By: Standard | Newest | Votes
nidhin_ck posted this 14 October 2019

P {margin-top:0;margin-bottom:0;}







Hi, Anybody has any corrections on the below steps? Maybe the steps which I'm following is not correct. 












Regards,



Nidhin.CK




show

kool posted this 5 weeks ago

I’ve never BitLocker’d a DC before, but my hunch is that you’d need to BitLocker the drives before promotion to a DC. That presumes of course that BitLocker is even supported for a DC.



 

    Eric



 

show

bdesmond posted this 5 weeks ago

What’s the goal of running BitLocker on an ESX hosted VM? As I understand it the ESX admin can get to the keys that are in the virtual TPM. Assuming my understanding is correct, what

risk are you protecting against?

 

Thanks,

Brian

 

 

show

PhilipElder posted this 5 weeks ago

It’s supported and a good practice so long as the backup process is also encrypted and a full bare-hypervisor restore has been completed prior to encrypting the system drive.

 

Otherwise, it’s possible to reset the domain admin credentials in about 2 minutes onwards from there.

 



Philip Elder MCTS

Microsoft High Availability MVP

E-mail:

PhilipElder@xxxxxxxxxxxxxxxx

Phone: +1 (780) 458-2028

Web:

www.mpecsinc.com

Cloud:

www.CanadianCloudWorx.com



Blog:

blog.mpecsinc.com

Twitter:

Twitter.com/MPECSInc

Skype: MPECSInc.

 

Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru

Friday.




 

show

jimec1234 posted this 5 weeks ago




show

MyloC posted this 5 weeks ago

P {margin-top:0;margin-bottom:0;}







If you're not going to use physical DCs or shielded VMs then 




Damian Myles​
Managing Partner
FacebookLinkedInTwitter
 
Office: +31853034643
Mobile: +31 642443131
Email: damian.myles@xxxxxxxxxxxxxxxx
Website: www.route443.eu
Managing Partner

This message contains confidential information and is intended only for the intended recipients. If you are not an intended recipient you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version.




show

MyloC posted this 5 weeks ago

P {margin-top:0;margin-bottom:0;}







Apologies for the  inadvertent send on the last mail. 








If you're not going to use physical DCs or shielded VMs with Hyper-V then ESX/vSphere offers up support for KMIP for storage off-server of encryption keys, assuming the intention is to segregate your data center virtualization admins from your AD  admins.  Backups/Updates/AV

are also a challenge, if you're not tiering administration.







Damian Myles​
Managing Partner
FacebookLinkedInTwitter
 
Office: +31853034643
Mobile: +31 642443131
Email: damian.myles@xxxxxxxxxxxxxxxx
Website: www.route443.eu
Managing Partner

This message contains confidential information and is intended only for the intended recipients. If you are not an intended recipient you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version.




show

nidhin_ck posted this 1 weeks ago

P {margin-top:0;margin-bottom:0;}













Hi All,








Update:








After moving the DB & Logs to its default location (C Drive), it started working. I mean DC is not crashing anymore. 








I just want to ask if there will be any performance degrade if we put AD DB in the default location (C:\Windows\NTDS) ? I couldn't find any article on this.








https://blogs.msdn.microsoft.com/nicolewelch/2016/01/bitlocker-and-domain-controller-logical-disks/




































show

bdesmond posted this 6 days ago

Back when hard drives were slow and small and memory was constrained, we would always split up the DIT, Logs, and SYSVOL. That ship sailed a long time ago for all but some of the largest

directories where the database is large enough/busy enough to have performance implications.

 

Putting everything on the OS drive wasn’t the issue necessarily so much as capacity.

 

Thanks,

Brian

 

show

nidhin_ck posted this 3 days ago

P {margin-top:0;margin-bottom:0;}













Hi Brian,








Thanks a lot for clarifying.








Thanks,



Nidhin.CK




show

Close