Solved

MS Exchange 2013 Datastore on Bitlocker Encrypted Volume

Posted on 2013-11-17
1
1,529 Views
Last Modified: 2013-11-17
Dear EX Community,

I am currently experimenting with MS Exchange 2013 and Bitlocker Drive Encryption (Windows Server 2012 R2). My intention is to put the Exchange Database on an encrypted volume.  I am aware that this does not protect the data when the system is in a running state.  My goal is to protect the data in case one of the hard drives (RAID 1 Array) gets swaped out, since the server is located in an external Data Center.

On the server I have currently 2 partitions:
C: - System Partition (unencrypted)
D: - Data Partition (Bitlocker Encrypted, has to get manually unlocked using a key after every reboot)

Exchange itself I'd install on C: while the Exchange Database would get put on the encrypted D partition.

Now my question is how Exchange will cope at boot time when the Data Partition is not yet unlocked and Exchange can't access the Datastore.  I suppose this will lead into troubles?  How about if I set all Exchange related services to manual startup in order to start the services manually after the D: partition has been unlocked?

I am aware that there is a possibility to automatically unlock the D: partition at boot time but this would require that the System Partition is also encrypted, which is not possible in this scenario since the server doesn't have a TPM-Module and I don't want to enter the key through the KVM-Console when rebooting the server.

Any feedback is highly appreciated.  Thank you very much!
0
Comment
Question by:MrFortune100
1 Comment
 

Accepted Solution

by:
MrFortune100 earned 0 total points
ID: 39655336
After multiple tests, I can confirm that my suggestion above seems to work well.

After the Exchange 2013 installation I have moved the Mailbox Database to the Bitlocker Encrypted Volume.  Then I have set the following Exchange 2013 Services from Automatic to Manual start up:

Microsoft Exchange Active Directory Topology
Microsoft Exchange Anti-spam Update
Microsoft Exchange Diagnostics
Microsoft Exchange EdgeSync
Microsoft Exchange Frontend Transport
Microsoft Exchange Health Manager
Microsoft Exchange Information Store
Microsoft Exchange Mailbox Assistants
Microsoft Exchange Mailbox Replication
Microsoft Exchange Mailbox Transport Delivery
Microsoft Exchange Mailbox Transport Submission
Microsoft Exchange Replication
Microsoft Exchange RPC Client Access
Microsoft Exchange Search
Microsoft Exchange Search Host Controller
Microsoft Exchange Service Host
Microsoft Exchange Throttling
Microsoft Exchange Transport
Microsoft Exchange Transport Log Search
Microsoft Exchange Unified Messaging
Microsoft Exchange Unified Messaging Call Router

Open in new window


Additionally, I've created a batch file which starts all of these services followed by a IIS-Restart at the end:

net start MSExchangeADTopology
net start MSExchangeAntispamUpdate
net start MSExchangeEdgeSync
net start MSExchangeIS
net start MSExchangeMailboxAssistants
net start MSExchangeMailboxReplication
net start MSExchangeRepl
net start MSExchangeRPC
net start MSExchangeServiceHost
net start MSExchangeThrottling
net start MSExchangeTransport
net start MSExchangeTransportLogSearch
net start MSExchangeFastSearch
net start MSExchangeDelivery
net start MSExchangeFrontEndTransport
net start MSExchangeDiagnostics
net start MSExchangeHM
net start MSExchangeSubmission
net start HostControllerService
net start MSExchangeUM
net start MSExchangeUMCR
IISReset

Open in new window


After a server reboot I manually unlock the Bitlocker Drive and then start Exchange using the bat file. Exchange 2013 seems to run fine, at least I couldn't find any errors in the Event Log. I suppose this scenario is not supported by Microsoft, but it seems to do the trick for my requirements.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Find out what you should include to make the best professional email signature for your organization.
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question