Your company has several branch offices. Your network consists of a single Active Directory domain.
Each branch office contains domain controllers and member servers. The domain controllers run
Windows Server 2003 SP2. The member servers run Windows Server 2008 R2. Physical security of
the servers at the branch offices is a concern. You plan to implement Windows BitLocker Drive
Encryption (BitLocker) on the member servers. You need to ensure that you can access the BitLocker
volume if the BitLocker keys are corrupted on the member servers. The recovery information must
be stored in a central location. What should you do?
A.
Upgrade all domain controllers to Windows Server 2008 R2. Use Group Policy to configure Public
Key Policies.
B.
Upgrade all domain controllers to Windows Server 2008 R2. Use Group Policy to enable Trusted
Platform Module (TPM) backups to Active Directory.
C.
Upgrade the domain controller that has the schema master role to Windows Server 2008 R2. Use
Group Policy to enable a Data Recovery Agent (DRA).
D.
Upgrade the domain controller that has the primary domain controller (PDC) emulator role to
Windows Server 2008 R2. Use Group Policy to enable a Data Recovery Agent (DRA).
Explanation:
MCITP Self-Paced Training Kit Exam 70-646 Windows Server Administration:
Planning BitLocker Deployment
Windows BitLocker and Drive Encryption (BitLocker) is a feature that debuted in Windows Vista
Enterprise and Ultimate Editions and is available in all versions of Windows Server 2008. BitLocker
serves two purposes:
protecting server data through full volume encryption and providing an integrity-checking
mechanism to ensure that the boot environment has not been tampered with.
Encrypting the entire operating system and data volumes means that not only are the operating
system and data protected, but so are paging files, applications, and application configuration data.
In the event that a server is stolen or a hard disk drive removed from a server by third parties for
their own nefarious purposes, BitLocker ensures that these third parties cannot recover any useful
data. The drawback is that if the BitLocker keys for a server are lost and the boot environment is
compromised, the data stored on that server will be unrecoverable.
To support integrity checking, BitLocker requires a computer to have a chip capable of supporting
the Trusted Platform Module (TPM) 1.2 or later standard. A computer must also have a BIOS that
supports the TPM standard. When BitLocker is implemented in these conditions and in the event
that the condition of a startup component has changed, BitLocker-protected volumes are locked and
cannot be unlocked unless the person doing the unlocking has the correct digital keys. Protected
startup components include the BIOS, Master Boot Record, Boot Sector, Boot Manager, and
Windows Loader.
From a systems administration perspective, it is important to disable BitLocker during maintenance
periods when any of these components are being altered. For example, you must disable BitLocker
during a BIOS upgrade. If you do not, the next time the computer starts, BitLocker will lock the
volumes and you will need to initiate the recovery process. The recovery process involves entering a
48-character password that is generated and saved to a specified location when running theBitLocker setup wizard. This password should be stored securely because without it the recovery
process cannot occur. You can also configure BitLocker to save recovery data directly to Active
Directory; this is the recommended management method in enterprise environments.
You can also implement BitLocker without a TPM chip. When implemented in this manner there is
no startup integrity check. A key is stored on a removable USB memory device, which must be
present and supported by the computer’s BIOS each time the computer starts up. After the
computer has successfully started, the removable USB memory device can be removed and should
then be stored in a secure location. Configuring a computer running Windows Server 2008 to use a
removable USB memory device as a BitLocker startup key is covered in the second practice at the
end of this lesson.
BitLocker Group Policies
BitLocker group policies are located under the Computer Configuration\Policies\ Administrative
Templates\Windows Components\BitLocker Drive Encryption node of a Windows Server 2008 Group
Policy object. In the event that the computers you want to deploy BitLocker on do not have TPM
chips, you can use the Control Panel Setup: Enable Advanced Startup Options policy, which is shown
in Figure 1-7. When this policy is enabled and configured, you can implement BitLocker without a
TPM being present. You can also configure this policy to require that a startup code be entered if a
TPM chip is present, providing another layer of security.
Figure 1-7Allowing BitLocker without the TPM chip
Other BitLocker policies include:
■Turn On BitLocker Backup To Active Directory Domain Services When this policy is enabled, a
computer’s recovery key is stored in Active Directory and can be recovered by an authorized
administrator.■Control Panel Setup: Configure Recovery Folder When enabled, this policy sets the default folder to
which computer recovery keys can be stored.
