Enable Bitlocker Drive Encryption on all domain controllers?

Viewing 2 reply threads
  • Author
    Posts
    • #1558666
      Mingione
      Participant
      • Topics: 1
      • Replies: 3
      Post count: 3
      Member Points: 240
      Rank: Level 2

      Hi,

      could you please confirm if the BitLocker Drive Encryption feature should be installed on all domain controllers? I mean, if a customer has more than one domain controller, the feature should be installed on all of them, shouldn’t it?

      Thanks a lot.

      Diego M.

      2+
      avataravatar
    • #1558667
      Leos Marek
      Moderator
      • Topics: 30
      • Replies: 282
      Post count: 299
      Member Points: 18,161
      Rank: Level 4

      Hello,

      enabling Bitlocker has no impact on domain functionality. You can have DCs with Bitlocker enabled on less secure locations and you can have DCs without Bitlocker.

      Cheers

      1+
      avatar
      • #1558670
        Mingione
        Participant
        • Topics: 1
        • Replies: 3
        Post count: 3
        Member Points: 240
        Rank: Level 2

        Hi all,

        what I have mentioned is the feature name for Windows Server to enable the Recovery Keys writing within the AD Computer Ojbects.

        The customer needs to archive the recovery keys within AD.

        Thanks again.

        Best regards,

        Diego M.

        1+
        avatar
        • #1558674
          Leos Marek
          Moderator
          • Topics: 30
          • Replies: 282
          Post count: 299
          Member Points: 18,161
          Rank: Level 4

          OK, I understand your question differently. Nothing is required to be installed on the DC. BitLocker is integrated with AD. The only thing you need to do is to enable a GPO settings, more details here:

          https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies#active-directory-domain-services-considerations

          Then to view the passwords you need a Viewer, details here:

          https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer

           

          L

          1+
          avatar
        • #1558693
          Mingione
          Participant
          • Topics: 1
          • Replies: 3
          Post count: 3
          Member Points: 240
          Rank: Level 2

          Hi Leos,

          many thanks for your feedback but what about the BitLocker Drive Encryption Feature?

          Surfing the web I have read as follows:

          “Starting from Windows Server 2008, these attributes are available by default, but still require an additional configuration for further functioning. In the schema version of Windows Server 2012 and newer, this feature works “out of the box”. The same is applicable to the computers running the newest Windows Server 2019 build.” (https://theitbros.com/config-active-directory-store-bitlocker-recovery-keys/)

          Thanks a lot.

          Best regards,

          Diego M.

           

          1+
          avatar
        • #1558694
          Leos Marek
          Moderator
          • Topics: 30
          • Replies: 282
          Post count: 299
          Member Points: 18,161
          Rank: Level 4

          You only need to install the feature if you want to encrypt that computer/server. It has nothing in common with AD at all.

          As from what you shared, if your have AD forest level on Win 2012 or higher you dont need to do anything with AD.

          As always – you should have a test environment (at least a VM on your PC) and try things there first.

          2+
          avatar
        • #1558746
          Mingione
          Participant
          • Topics: 1
          • Replies: 3
          Post count: 3
          Member Points: 240
          Rank: Level 2

          Hi,

          if the customer has 2008R2 Forest mode (please don’t laugh for that) how can we proceed about?

          Please consider as the DC servers are 2012 R2…

           

          Thanks.

          Best regards.

          Diego M.

          2+
          avataravatar
        • #1558783
          Leos Marek
          Moderator
          • Topics: 30
          • Replies: 282
          Post count: 299
          Member Points: 18,161
          Rank: Level 4

          Hi Diego,

          if you have all DCs 2012 R2 then you could simply raise the forest/domain level to Windows 2012. Please note this is irreversible operation.

          Cheers

          1+
          avatar
    • #1558921
      Leos Marek
      Moderator
      • Topics: 30
      • Replies: 282
      Post count: 299
      Member Points: 18,161
      Rank: Level 4

      Diego, did you have a chance to test or make the change done?

      0
Viewing 2 reply threads
You must be logged in to reply to this topic.
© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account