Solved

MS Exchange 2013 Datastore on Bitlocker Encrypted Volume

Posted on 2013-11-17
1
1,561 Views
Last Modified: 2013-11-17
Dear EX Community,

I am currently experimenting with MS Exchange 2013 and Bitlocker Drive Encryption (Windows Server 2012 R2). My intention is to put the Exchange Database on an encrypted volume.  I am aware that this does not protect the data when the system is in a running state.  My goal is to protect the data in case one of the hard drives (RAID 1 Array) gets swaped out, since the server is located in an external Data Center.

On the server I have currently 2 partitions:
C: - System Partition (unencrypted)
D: - Data Partition (Bitlocker Encrypted, has to get manually unlocked using a key after every reboot)

Exchange itself I'd install on C: while the Exchange Database would get put on the encrypted D partition.

Now my question is how Exchange will cope at boot time when the Data Partition is not yet unlocked and Exchange can't access the Datastore.  I suppose this will lead into troubles?  How about if I set all Exchange related services to manual startup in order to start the services manually after the D: partition has been unlocked?

I am aware that there is a possibility to automatically unlock the D: partition at boot time but this would require that the System Partition is also encrypted, which is not possible in this scenario since the server doesn't have a TPM-Module and I don't want to enter the key through the KVM-Console when rebooting the server.

Any feedback is highly appreciated.  Thank you very much!
0
Comment
Question by:MrFortune100
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 

Accepted Solution

by:
MrFortune100 earned 0 total points
ID: 39655336
After multiple tests, I can confirm that my suggestion above seems to work well.

After the Exchange 2013 installation I have moved the Mailbox Database to the Bitlocker Encrypted Volume.  Then I have set the following Exchange 2013 Services from Automatic to Manual start up:

Microsoft Exchange Active Directory Topology
Microsoft Exchange Anti-spam Update
Microsoft Exchange Diagnostics
Microsoft Exchange EdgeSync
Microsoft Exchange Frontend Transport
Microsoft Exchange Health Manager
Microsoft Exchange Information Store
Microsoft Exchange Mailbox Assistants
Microsoft Exchange Mailbox Replication
Microsoft Exchange Mailbox Transport Delivery
Microsoft Exchange Mailbox Transport Submission
Microsoft Exchange Replication
Microsoft Exchange RPC Client Access
Microsoft Exchange Search
Microsoft Exchange Search Host Controller
Microsoft Exchange Service Host
Microsoft Exchange Throttling
Microsoft Exchange Transport
Microsoft Exchange Transport Log Search
Microsoft Exchange Unified Messaging
Microsoft Exchange Unified Messaging Call Router

Open in new window


Additionally, I've created a batch file which starts all of these services followed by a IIS-Restart at the end:

net start MSExchangeADTopology
net start MSExchangeAntispamUpdate
net start MSExchangeEdgeSync
net start MSExchangeIS
net start MSExchangeMailboxAssistants
net start MSExchangeMailboxReplication
net start MSExchangeRepl
net start MSExchangeRPC
net start MSExchangeServiceHost
net start MSExchangeThrottling
net start MSExchangeTransport
net start MSExchangeTransportLogSearch
net start MSExchangeFastSearch
net start MSExchangeDelivery
net start MSExchangeFrontEndTransport
net start MSExchangeDiagnostics
net start MSExchangeHM
net start MSExchangeSubmission
net start HostControllerService
net start MSExchangeUM
net start MSExchangeUMCR
IISReset

Open in new window


After a server reboot I manually unlock the Bitlocker Drive and then start Exchange using the bat file. Exchange 2013 seems to run fine, at least I couldn't find any errors in the Event Log. I suppose this scenario is not supported by Microsoft, but it seems to do the trick for my requirements.
0

Featured Post

Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Read this checklist to learn more about the 15 things you should never include in an email signature.
A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question