deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/Microsoft/win-cpub-itpro-docs into vso-9235427

Browse Source
This commit is contained in:
Celeste de Guzman 2017-01-17 11:22:36 -08:00
commit ba178552d4
1 changed files with 18 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
windows/keep-secure/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
View File

@ -33,8 +33,7 @@ Windows PowerShell or the manage-bde command line interface is the preferred met
>**Note:**  Mount points can be used to support remote mount points on SMB based network shares. This type of share is not supported for BitLocker encryption. >**Note:**  Mount points can be used to support remote mount points on SMB based network shares. This type of share is not supported for BitLocker encryption.
   
For thinly provisioned storage, such as a Dynamic Virtual Hard Disk (VHD), BitLocker runs in Used Disk Space Only encryption mode. You cannot use the **manage-bde WipeFreeSpace** command to transition the volume to full-volume encryption on these types of volumes. This occurs because Full For thinly provisioned storage, such as a Dynamic Virtual Hard Disk (VHD), BitLocker runs in Used Disk Space Only encryption mode. You cannot use the **manage-bde -WipeFreeSpace** command to transition the volume to full-volume encryption on these types of volumes. This is blocked in order to avoid expanding thinly provisioned volumes to occupy the entire backing store while wiping the unoccupied (free) space.
Encryption requires an end marker for the volume and dynamically expanding VHDs do not have a static end of volume marker.
### Active Directory-based protector ### Active Directory-based protector
@ -57,28 +56,22 @@ BitLocker encryption is available for disks before or after addition to a cluste
1. Install the BitLocker Drive Encryption feature if it is not already installed. 1. Install the BitLocker Drive Encryption feature if it is not already installed.
2. Ensure the disk is formatted NTFS and has a drive letter assigned to it. 2. Ensure the disk is formatted NTFS and has a drive letter assigned to it.
3. Enable BitLocker on the volume using your choice of protector. A password protector is used in the Windows PowerShell script example below. 3. Identify the name of the cluster with Windows PowerShell.
``` syntax
Enable-BitLocker E: -PasswordProtector -Password $pw
```
4. Identify the name of the cluster with Windows PowerShell.
``` syntax ``` syntax
Get-Cluster Get-Cluster
``` ```
5. Add an **ADAccountOrGroup**protector to the volume using the cluster name using a command such as: 4. Enable BitLocker on the volume of your choice with an **ADAccountOrGroup** protector, using the cluster name. For example, use a command such as:
``` syntax ``` syntax
Add-BitLockerProtector E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$ Enable-BitLocker E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$
``` ```
>**Warning:**  You must add an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker enabled volume to either be shared in a Cluster Shared Volume or to failover properly in a traditional failover cluster. >**Warning:**  You must configure an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker enabled volume to either be shared in a Cluster Shared Volume or to fail over properly in a traditional failover cluster.
   
6. Repeat steps 1-6 for each disk in the cluster. 5. Repeat the preceding steps for each disk in the cluster.
7. Add the volume(s) to the cluster. 6. Add the volume(s) to the cluster.
### Turning on BitLocker for a clustered disk using Windows PowerShell ### Turning on BitLocker for a clustered disk using Windows PowerShell
@ -97,28 +90,26 @@ When the cluster service owns a disk resource already, it needs to be set into m
Get-ClusterResource "Cluster Disk 1" | Suspend-ClusterResource Get-ClusterResource "Cluster Disk 1" | Suspend-ClusterResource
``` ```
4. Enable BitLocker on the volume using your choice of protector. A password protector is used in the example below. 4. Identify the name of the cluster with Windows PowerShell.
``` syntax
Enable-BitLocker E: -PasswordProtector -Password $pw
```
5. Identify the name of the cluster with Windows PowerShell
``` syntax ``` syntax
Get-Cluster Get-Cluster
``` ```
6. Add an **ADAccountOrGroup** protector with the Cluster Name Object (CNO) to the volume using a command such as: 5. Enable BitLocker on the volume of your choice with an **ADAccountOrGroup** protector, using the cluster name. For example, use a command such as:
``` syntax ``` syntax
Add-BitLockerProtector E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$ Enable-BitLocker E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$
``` ```
>**Warning:**  You must add an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker enabled volume to either be shared in a Cluster Shared Volume or to failover properly in a traditional failover cluster. >**Warning:**  You must configure an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker enabled volume to either be shared in a Cluster Shared Volume or to fail over properly in a traditional failover cluster.
   
7. Repeat steps 1-6 for each disk in the cluster. 6. Use **Resume-ClusterResource** to take the physical disk resource back out of maintenance mode:
8. Add the volume(s) to the cluster
``` syntax
Get-ClusterResource "Cluster Disk 1" | Resume-ClusterResource
```
7. Repeat the preceding steps for each disk in the cluster.
### Adding BitLocker encrypted volumes to a cluster using manage-bde ### Adding BitLocker encrypted volumes to a cluster using manage-bde