adds

Active Directory and the Case of the Failed BitLocker Recovery Key Archive

This is an issue I came across this evening at home (yes, just to reiterate, home), however the issue applies equally to my workplace as we encounter the same issue there.

One of the laptops in my house incorporates a TPM Module which I take advantage of to BitLocker encrypt the hard disk and using the TPM and a PIN. This gives me peace of mind as it’s the laptop used by my wife who although doesn’t currently will likely start to take her device out on the road when studying at university.

Historically, I have used the Save to File method of storing the recovery key, storing the key both on our home server and on my SkyDrive account for protection, but as of our new Windows Server 2012 Essentials environment, I wanted to take advantage of Active Directory and configure the clients to automatically archive the keys to there.

The key to beginning this process is to download an .exe file from Microsoft (http://www.microsoft.com/en-us/download/details.aspx?id=13432). I’m not going to explain here how to extend the AD Schema or modify the domain ACL for this all to work as that is all explained in the Microsoft document.

Following the instructions, I created a GPO which applied both the Trusted Platform Module Services Computer Configuration Setting for Turn on TPM Backup to Active Directory Domain Services and also the setting for BitLocker Drive Encryption Store Computer Configuration Setting for Store BitLocker Recovery Information in Active Directory Domain Services.

After allowing the machine to pickup the GPO and a restart to be sure, I enabled BitLocker and I realised that after verification in AD, nothing was being backed up. Strange I thought, as this matches a problem in the office at work however we had attributed this problem at work to a potential issue with our AD security ACEs, but at home, this is a brand new Windows Server 2012 with previously untouched ACEs out of the OOBE.

After scratching my head a little and a bit more poking around in Group Policy, I clocked it. The settings defined in the documentation are for Windows Vista. Windows 7 and Windows 8 clients rely on a different set of Group Policy Computer Configuration settings.

These new settings give you far more granular control of BitLocker than the Windows Vista settings did, so much so, that Microsoft elected that the Windows Vista settings would simply not apply to Windows 7 or 8 and that the new settings needed to be used.

You can find the new settings in Computer Configuration > Administrative Tools > Windows Components > BitLocker Drive Encryption. The settings in the root of this GPO hive are the existing Vista settings. The new Windows 7 and Windows 8 settings live in the three child portions: Fixed, Operating System and Removable Drives.

Each area gives you specific, granular control over how BitLocker affects these volumes, including whether to store the key in AD DS, whether to allow a user to configure a PIN or just to use the TPM and probably the best option second to enabling AD DS archive in my opinion is whether to allow the user to select or whether to mandate that the entire drive or only the used space is encrypted. The Operating System Drives portion gives you the most options and will likely be the one people want to configure most as this is ultimately what determines the behaviour when booting your computer.

I’m sure you’ll agree that there’s a lot of new settings here over Vista and that this gives you much greater flexibility and control over the settings, but with great power comes great responsibility. Make sure you read the effects and impact of each setting clearly and that you test your configuration and if possible, backup any data on any machines which you are testing BitLocker GPOs against in the event that the key isn’t archived to AD DS and that you enter a situation where you need, but don’t have that recovery key available.

Windows Server 2012 Essentials Initial Admin Thoughts

I spend my days working with Windows Servers and more increasingly Windows Server 2012. Whilst I may not know everything there is to know (and who does after all), I like to think I know quite a bit on the subject and therefore my understanding of what’s good and proper is generally sound. Once the installation of Windows Server 2012 Essentials completed I was drilling through some of the back-end interfaces to dig up parts of how it worked and was strung together and these are my opinions based on those views as an administrator.

Active Directory Domain Services (ADDS)

As we know, Windows Server 2012 Essentials unlike Windows Home Server 2011 creates a domain. It does this with the greatest of ease for the end-user driving the install, but with ease, you lack control, evident here.

The domain is created with a Windows Server 2012 Domain and Forest Functional Level which is good, however the Active Directory Recycle Bin feature, added in Windows Server 2008 R2 ADDS is disabled which I think it should be to help people out who accidently delete users or computer accounts.

The domain is created with a .local domain suffix which for me is not nice as they can end up causing you problems depending on what you are trying to do with the domain environment. If you read some of the literature for Office 365 they don’t support federation using ADFS with .local domains.

The case sensitivity of the installer has big implications on the domain name created. I personally like to see a lowercase domain name (FQDN) with an uppercase Pre-Windows 2000 domain name (NetBIOS) but the installer uses the same name for both. From my previous post on installing Windows Server 2012 Essentials, whatever you type in the Internal Domain Name text field will be used for both, so be careful with that. You can change the Pre-Windows 2000 domain name using Active Directory Users and Computer (ADUC) or the PowerShell Cmdlets, but whether this will have implications for the Dashboard and other Essentials functionality is not clear without testing.

When new users and computers are added/connected to the domain using the dashboard and the client computer connector software, the new objects are placed in the Users and Computers containers respectively. I tried using redirusr and redircmp to move the new object creation to an OU, but this didn’t work and everything still hits the containers. Manually moving the objects later seems to cause no issues, but I think it’s very bad that the installer doesn’t at least create initial OUs for these objects as objects in containers can’t be linked to GPOs.

In Active Directory Sites and Services, no IP Subnets are configured to link to the site and the site is left with the standard name of Default-First-Site-Name. I don’t see any problems in renaming this and adding the subnets.

DNS

The DNS role is installed as a requirement for ADDS. The installation is basic, very basic. One Forward Lookup Zone is created for the DNS domain name specified in the installer, but no Reverse Lookup Zone. No Forwarders are configured so all recursive lookups will be hitting the Root Hints servers unless you are configuring the Essentials server to use the ISP router as its DNS server, which brings the next point, linked to DHCP. Clients will be receiving DHCP leases normally from a self-bought or an ISP router which will be configuring the clients with itself as the sole DNS server.

Unless the connecter client does something very nasty like configure a static DNS server on the NIC in use for the Essentials server, how will it be able to resolve DNS records on the server as it will be relying on the records from the router?

Lastly on DNS is that Scavenging is disabled, so if you do use DHCP and have your clients leasing addresses directly from the Essentials server (which I would recommend) then the stale records won’t get cleaned up.

Certificate Authority (CA)

The installer configures an Enterprise Root CA on the server which is an online root and issuing CA in this instance. Anyone who knows PKI knows that an online root CA is bad news. I know it’s the only option as you can’t expect people to drop two servers, one to remain powered off for it’s life as an offline root CA, but doesn’t stop it from being horrid.

The most annoying thing here is the name that the CA is given. [DomainName]-[ServerName]-CA. This is totally unfriendly and looks ghastly in any of your certificates. The CA isn’t configured to grant the account you specify as the administrator account during the installer as a KRA or a DRA so hope that nobody in your house or office tries to be clever and EFS encrypt their documents before losing the private key to open them.

Network Access Protection (NAP)

This role is installed to assign policy for the VPN and Remote Web Access. The administrative console for it is not installed to keep your blind to its configuration, but you can easily install this using Server Manager by adding the RSAT Feature for NAP.

Remote Desktop Services (RDS) Gateway

This component is used for the Remote Web Access. As with NAP, the console is not installed to keep you in the dark, but you can again install this using Server Manager by adding that RSAT Feature for RDS Gateway Tools.

Oddbox

Other random bits and pieces I noticed whilst poking around where as follows:

  • Memory Usage for the base install is 1.4GB and CPU Usage while idle was 4% on my Hyper-V 3.0 VM from my Core i3 desktop PC. It will be interesting to see how my physical AMD E-350 Zacate Home Server processor handles it or how the processor in the HP Microserver would fare?
  • No Group Policy Objects are configured aside from the two default domain policies. Do not rename either of the default policies as options in the Dashboard update the configuration of the policies and if the dashboard is looking for them based on name and not GUID, then you will hit problems.
  • The Server Backup feature  within the dashboard relies on a dedicated and assigned local disk. There is no option for making use of Windows Azure Cloud Backup which is now supported in the Windows Server 2012 iteration of Windows Server Backup. I think Microsoft are missing a trick here as there are other 3rd parties already cashing in on the cloud backup market a la Windows Home Server 2011, such as Cloudberry.
  • Deleting any of the default server shares such as Recorded TV or Company (if you aren’t a company and you aren’t using Media Center for Live TV Archiving to the Essentials Server) for example causes warnings of missing folders in the Dashboard and causes Critical status alerts in the alert panel. There is a workaround for this courtesy of  Philip Churchill at http://www.mswhs.com/2012/09/remove-default-shares-in-ws2012-essentials/.