Solved

MS Exchange 2013 Datastore on Bitlocker Encrypted Volume

Posted on 2013-11-17
1
1,472 Views
Last Modified: 2013-11-17
Dear EX Community,

I am currently experimenting with MS Exchange 2013 and Bitlocker Drive Encryption (Windows Server 2012 R2). My intention is to put the Exchange Database on an encrypted volume.  I am aware that this does not protect the data when the system is in a running state.  My goal is to protect the data in case one of the hard drives (RAID 1 Array) gets swaped out, since the server is located in an external Data Center.

On the server I have currently 2 partitions:
C: - System Partition (unencrypted)
D: - Data Partition (Bitlocker Encrypted, has to get manually unlocked using a key after every reboot)

Exchange itself I'd install on C: while the Exchange Database would get put on the encrypted D partition.

Now my question is how Exchange will cope at boot time when the Data Partition is not yet unlocked and Exchange can't access the Datastore.  I suppose this will lead into troubles?  How about if I set all Exchange related services to manual startup in order to start the services manually after the D: partition has been unlocked?

I am aware that there is a possibility to automatically unlock the D: partition at boot time but this would require that the System Partition is also encrypted, which is not possible in this scenario since the server doesn't have a TPM-Module and I don't want to enter the key through the KVM-Console when rebooting the server.

Any feedback is highly appreciated.  Thank you very much!
0
Comment
Question by:MrFortune100
1 Comment
 

Accepted Solution

by:
MrFortune100 earned 0 total points
Comment Utility
After multiple tests, I can confirm that my suggestion above seems to work well.

After the Exchange 2013 installation I have moved the Mailbox Database to the Bitlocker Encrypted Volume.  Then I have set the following Exchange 2013 Services from Automatic to Manual start up:

Microsoft Exchange Active Directory Topology
Microsoft Exchange Anti-spam Update
Microsoft Exchange Diagnostics
Microsoft Exchange EdgeSync
Microsoft Exchange Frontend Transport
Microsoft Exchange Health Manager
Microsoft Exchange Information Store
Microsoft Exchange Mailbox Assistants
Microsoft Exchange Mailbox Replication
Microsoft Exchange Mailbox Transport Delivery
Microsoft Exchange Mailbox Transport Submission
Microsoft Exchange Replication
Microsoft Exchange RPC Client Access
Microsoft Exchange Search
Microsoft Exchange Search Host Controller
Microsoft Exchange Service Host
Microsoft Exchange Throttling
Microsoft Exchange Transport
Microsoft Exchange Transport Log Search
Microsoft Exchange Unified Messaging
Microsoft Exchange Unified Messaging Call Router

Open in new window


Additionally, I've created a batch file which starts all of these services followed by a IIS-Restart at the end:

net start MSExchangeADTopology
net start MSExchangeAntispamUpdate
net start MSExchangeEdgeSync
net start MSExchangeIS
net start MSExchangeMailboxAssistants
net start MSExchangeMailboxReplication
net start MSExchangeRepl
net start MSExchangeRPC
net start MSExchangeServiceHost
net start MSExchangeThrottling
net start MSExchangeTransport
net start MSExchangeTransportLogSearch
net start MSExchangeFastSearch
net start MSExchangeDelivery
net start MSExchangeFrontEndTransport
net start MSExchangeDiagnostics
net start MSExchangeHM
net start MSExchangeSubmission
net start HostControllerService
net start MSExchangeUM
net start MSExchangeUMCR
IISReset

Open in new window


After a server reboot I manually unlock the Bitlocker Drive and then start Exchange using the bat file. Exchange 2013 seems to run fine, at least I couldn't find any errors in the Event Log. I suppose this scenario is not supported by Microsoft, but it seems to do the trick for my requirements.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now