Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Bit Locker
Bit Locker [message #360051] Tue, 05 January 2010 12:10 Go to next message
Phillips  is currently offline Phillips
Messages: 2
Registered: January 2010
Junior Member
Is it safe/recommended to encrypt the a drive/volume which contains AD DB or
SYSVOL? What kind of challenges does it pose?
Re: Bit Locker [message #360237 is a reply to message #360051] Tue, 05 January 2010 15:29 Go to previous messageGo to next message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello Phillips,

You can of course encrypt a DC drive with bitlocker, but in my opinion this
makes only sense in an environment where a DC can not be physically safed.
Also you have to keep in mind that this only helps, if the server is shutdown
and should be started new without having the correct key available. there
is no influence on the AD database or sysvol when bitlocker is used.

See here about preparing a server core install for bitlocker:
http://www.biztechmagazine.com/article.asp?item_id=447

Also see here about using bitlocker for Hyper-V VMs:
http://www.microsoft.com/downloads/details.aspx?FamilyID=2c3 c0615-baf4-4a9c-b613-3fda14e84545&DisplayLang=en

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Is it safe/recommended to encrypt the a drive/volume which contains AD
> DB or SYSVOL? What kind of challenges does it pose?
>
Re: Bit Locker [message #360300 is a reply to message #360051] Tue, 05 January 2010 16:26 Go to previous messageGo to next message
Jorge Silva  is currently offline Jorge Silva
Messages: 398
Registered: July 2009
Senior Member
Hi
I would say that you shouldn't place DCs were you can't guarantee their
security. This includes RODCs (some people will disagree, but I don't care).

--

I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.




"Phillips" <Phillips@live.com> wrote in message
news:ufBk1qjjKHA.1824@TK2MSFTNGP04.phx.gbl...
> Is it safe/recommended to encrypt the a drive/volume which contains AD DB
> or SYSVOL? What kind of challenges does it pose?
>
Re: Bit Locker [message #362230 is a reply to message #360300] Thu, 07 January 2010 16:05 Go to previous messageGo to next message
SubstituteThisWithMyF  is currently offline SubstituteThisWithMyF  Netherlands
Messages: 85
Registered: October 2009
Member
he's probably talking about me, because I do disagree! (RODC part only) ;-)

For RWDCs, yes: DO NOT PLACE THOSE IN INSECURE LOCATIONS!

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------ ------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------ ------------------------------
#################################################
#################################################
------------------------------------------------------------ ------------------------------

"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
news:CE465F25-5E96-4FFA-BAA6-928426824D61@microsoft.com...
> Hi
> I would say that you shouldn't place DCs were you can't guarantee their
> security. This includes RODCs (some people will disagree, but I don't
> care).
>
> --
>
> I hope that the information above helps you.
> Have a Nice day.
>
> Jorge Silva
> MVP Directory Services
>
> Please no e-mails, any questions should be posted in the NewsGroup
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
>
>
> "Phillips" <Phillips@live.com> wrote in message
> news:ufBk1qjjKHA.1824@TK2MSFTNGP04.phx.gbl...
>> Is it safe/recommended to encrypt the a drive/volume which contains AD DB
>> or SYSVOL? What kind of challenges does it pose?
>>
>
> __________ Information from ESET Smart Security, version of virus
> signature database 4752 (20100107) __________
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
>
>

__________ Information from ESET Smart Security, version of virus signature database 4752 (20100107) __________

The message was checked by ESET Smart Security.

http://www.eset.com
Re: Bit Locker [message #362231 is a reply to message #360237] Thu, 07 January 2010 16:07 Go to previous messageGo to next message
SubstituteThisWithMyF  is currently offline SubstituteThisWithMyF  Netherlands
Messages: 85
Registered: October 2009
Member
even in secure locations...

you might have a scenario where the DC is secured, but non-Domain admins may
have access

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------ ------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------ ------------------------------
#################################################
#################################################
------------------------------------------------------------ ------------------------------

"Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
news:6cb2911dbc5f8cc5c760d644a4d@msnews.microsoft.com...
> Hello Phillips,
>
> You can of course encrypt a DC drive with bitlocker, but in my opinion
> this makes only sense in an environment where a DC can not be physically
> safed. Also you have to keep in mind that this only helps, if the server
> is shutdown and should be started new without having the correct key
> available. there is no influence on the AD database or sysvol when
> bitlocker is used.
>
> See here about preparing a server core install for bitlocker:
> http://www.biztechmagazine.com/article.asp?item_id=447
>
> Also see here about using bitlocker for Hyper-V VMs:
> http://www.microsoft.com/downloads/details.aspx?FamilyID=2c3 c0615-baf4-4a9c-b613-3fda14e84545&DisplayLang=en
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> Is it safe/recommended to encrypt the a drive/volume which contains AD
>> DB or SYSVOL? What kind of challenges does it pose?
>>
>
>
>
> __________ Information from ESET Smart Security, version of virus
> signature database 4752 (20100107) __________
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
>
>

__________ Information from ESET Smart Security, version of virus signature database 4752 (20100107) __________

The message was checked by ESET Smart Security.

http://www.eset.com
Re: Bit Locker [message #362549 is a reply to message #362231] Fri, 08 January 2010 03:07 Go to previous messageGo to next message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello Jorge de Almeida Pinto [MVP - DS],

1:0 for you. :-)

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> even in secure locations...
>
> you might have a scenario where the DC is secured, but non-Domain
> admins may have access
>
> # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services
> #
>
> BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
> BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
> ------------------------------------------------------------ ----------
> --------------------
> * This posting is provided "AS IS" with no warranties and confers no
> rights!
> * Always test ANY suggestion in a test environment before
> implementing!
> ------------------------------------------------------------ ----------
> --------------------
> #################################################
> #################################################
> ------------------------------------------------------------ ----------
> --------------------
> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
> news:6cb2911dbc5f8cc5c760d644a4d@msnews.microsoft.com...
>
>> Hello Phillips,
>>
>> You can of course encrypt a DC drive with bitlocker, but in my
>> opinion this makes only sense in an environment where a DC can not be
>> physically safed. Also you have to keep in mind that this only helps,
>> if the server is shutdown and should be started new without having
>> the correct key available. there is no influence on the AD database
>> or sysvol when bitlocker is used.
>>
>> See here about preparing a server core install for bitlocker:
>> http://www.biztechmagazine.com/article.asp?item_id=447
>>
>> Also see here about using bitlocker for Hyper-V VMs:
>>
>> http://www.microsoft.com/downloads/details.aspx?FamilyID=2c3 c0615-baf
>> 4-4a9c-b613-3fda14e84545&DisplayLang=en
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> Is it safe/recommended to encrypt the a drive/volume which contains
>>> AD DB or SYSVOL? What kind of challenges does it pose?
>>>
>> __________ Information from ESET Smart Security, version of virus
>> signature database 4752 (20100107) __________
>>
>> The message was checked by ESET Smart Security.
>>
>> http://www.eset.com
>>
> __________ Information from ESET Smart Security, version of virus
> signature database 4752 (20100107) __________
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
Re: Bit Locker [message #365361 is a reply to message #362230] Mon, 11 January 2010 14:14 Go to previous message
Jorge Silva  is currently offline Jorge Silva
Messages: 398
Registered: July 2009
Senior Member
Worse than assuming that an existing infrastructure has security issues, is
to think that your environment is secure... That can lead you to disaster.
:)

--

I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.




"Jorge de Almeida Pinto [MVP - DS]"
<SubstituteThisWithMyFullNameSeparatedByDots@gmail.com> wrote in message
news:uOk0r3#jKHA.4356@TK2MSFTNGP06.phx.gbl...
> he's probably talking about me, because I do disagree! (RODC part only)
> ;-)
>
> For RWDCs, yes: DO NOT PLACE THOSE IN INSECURE LOCATIONS!
>
> --
>
> Cheers,
> (HOPEFULLY THIS INFORMATION HELPS YOU!)
>
> # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
>
> BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
> BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
> ------------------------------------------------------------ ------------------------------
> * This posting is provided "AS IS" with no warranties and confers no
> rights!
> * Always test ANY suggestion in a test environment before implementing!
> ------------------------------------------------------------ ------------------------------
> #################################################
> #################################################
> ------------------------------------------------------------ ------------------------------
>
> "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
> news:CE465F25-5E96-4FFA-BAA6-928426824D61@microsoft.com...
>> Hi
>> I would say that you shouldn't place DCs were you can't guarantee their
>> security. This includes RODCs (some people will disagree, but I don't
>> care).
>>
>> --
>>
>> I hope that the information above helps you.
>> Have a Nice day.
>>
>> Jorge Silva
>> MVP Directory Services
>>
>> Please no e-mails, any questions should be posted in the NewsGroup
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>>
>>
>>
>> "Phillips" <Phillips@live.com> wrote in message
>> news:ufBk1qjjKHA.1824@TK2MSFTNGP04.phx.gbl...
>>> Is it safe/recommended to encrypt the a drive/volume which contains AD
>>> DB or SYSVOL? What kind of challenges does it pose?
>>>
>>
>> __________ Information from ESET Smart Security, version of virus
>> signature database 4752 (20100107) __________
>>
>> The message was checked by ESET Smart Security.
>>
>> http://www.eset.com
>>
>>
>>
>
> __________ Information from ESET Smart Security, version of virus
> signature database 4752 (20100107) __________
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
>
>
Previous Topic:AD trust routing issue
Next Topic:Upgrading Win 2K3 DC's to Win 2008
Goto Forum:
  


Current Time: Tue Jan 16 04:28:23 MST 2018

Total time taken to generate the page: 0.03803 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software