Hi, today’s topic is about securing virtual domain controller using BitLocker Encryption.
Virtual domain controller is sometimes at critical risk where the VHD folders can be copied and placed to another. Of course nowadays, by using BitLocker Encryption might be useful and one factor to secure our production environment.
Moreover, the very best friend comes out with BitLocker encryption on more enhancing technology is the Trust Platform Module (TPM) where you can find in the BIOS motherboard itself.
In my lab environment, I run my host hyper-V in my lenovo thinkpad. To secure the virtual domain controller is by enabling the BitLocker Encryption on the host of the virtual machine.
Simple to do:
- I enable the TPM / security chip at the bios setup. I am very fortunate the Lenovo has the tools to check. You may download it here. You can here the setting is Active. that’s mean the TPM is enabled.
- After that, you need to add features BitLocker encryption at the host hyper-v. you may need to restart the server.
- On control panel, you manage your bitlocker on which volume drive you need to turn on. on the screenshot below, I turn on the bitlocker on my operating system. because the virtual machine folders are located at default. you may relocate your virtual machine folder in different drive and you turn on the bitlocker on the drive that you locate the VM VHD/VHDX files.
before I begin, just want to say Happy New Year 2014 to all..
Okay, I would like to share this screenshot below:
You have seen this error lately? must be panic right and start to search into the TechNet.
Here is the article link http://support.microsoft.com/kb/2734946 .
In my case, there is a some period that between domain controllers have not replicated. Some of the DC was offline when I installed Exchange Server. So the while setup the Exchange, the setup will extend the AD schema. So since the Schema partition is forestwide, it might change and update the Schema FSMO role as well.
Resolution: you can manually force replication or wait the replication time takes place.
I have a problem with adding another child domain controller for my lab. In my scenario, my other child domain controller is also online and one of the parent domain controller is also online.
What other finding I have to make sure is that the DNS is pointed to the child domain controller.
Also, I have checked the debug log in C:\Windows\Debug\Dcpromoui.log. It seems that the error is appeared similar on the error above.
In the error above, when we further look, it successfully queries the SRV record of testbranch.netoverme.local.
My solution is by checking the Domain Naming Master role has be to online and contacted. Domain Naming FSMO role is responsible to add and also remove domain. In my case, I have 2 parent domain controller (dc1.netoverme.local and dc2.netoverme.local) and my child domain controller is testbranch.netoverme.local. my scenario above is to add another domain controller to child domain controller of testbranch.netoverme.local.
After I can ping dc1.netoverme.local which hold the FSMO role of Domain Naming Role and make sure the port and firewall is not blocking, now the domain controller can successfully add. One more thing FSMO role has to be contacted or online, DNS delegation has to be done for adding all DNS record in the parent domain.