Windows 7 is actively being deployed by companies, big and small. Some features in Windows 7 (especially features in Windows 7 Enterprise) require changes in the back ends of these environments. While some upgrades are evident, some may not. This series of posts details the changes wise to make to your Active Directory environment to smoothen the transition to Windows 7 and enable its compelling features for your specific environment.
BitLocker & TPM Recovery Information
Requires at least:
- Windows Server 2003 SP1+-based Domain Controllers (all)
- Recovery Key Password viewer installed
- Schema Administrator rights to extend the Active Directory schema
- Domain Administrator rights to enable and view Recovery Key information
BitLocker is a technology in Windows Vista and Windows 7 to encrypt files. BitLocker Drive Encryption offers encryption of all the disks in a system. BitLocker-to-Go, new in Windows 7, offers encryption of USB media.
With BitLocker Drive Encryption, one of the risks is the device becomes unbootable or encryption gets borked. In these cases, BitLocker and/or TPM recovery information needs to be entered. When the command to encrypt the disk is given, options are represented to store the BitLocker Recovery Key. This key, consisting of five blocks of five characters, can be stored in a file, or on a USB stick. Under the hood, an administrator can also specify the BitLocker Recovery Key needs to be stored in Active Directory. When, during encryption, the option is used to tie BitLocker to an onboard TPM chip, a hash of the TPM ownership password will be stored in Active Directory. To store this information in Active directory, your Active Directory environment will need to meet certain requirements:
Windows 2000 Server-based Domain Controllers
For environments with Windows 2000 Server-based Domain Controllers, all Domain Controllers need to be upgraded or migrated to Windows Server 2003 with at least Service Pack 1. Domain Controllers prior to Windows Server 2003 SP1 are incapable of storing this information securely, since they lack the Active Directory confidential flag.
Windows Server 2003 (R2)-based Domain Controllers
For environments with Windows Server 2003 and Windows Server 2003 R2-based Domain Controllers, all Domain Controllers need to be running at least Service Pack 1. The Active Directory schema needs to be extended using BitLockerTPMSchemaExtension.ldf and the default permissions on computer objects to allow the computer to write the information, need to be adjusted with Add-TPMSelfWriteACE.vbs. More information here.
Also, to view BitLocker and TPM Recovery Information, the Get-TPMOwnerInfo.vbs and Get-BitLockerRecoveryInfo.vbs scripts need to be used.
Windows Server 2008 (R2)-based Domain Controllers
For environments with Windows Server 2008 and Windows Server 2008 R2-based Domain Controllers, Storage of BitLocker and TPM recovery information is available out of the box. For viewing BitLocker and TPM recovery information, you may use the BitLocker Active Directory Recovery Password Viewer, which is available as a Server feature in Windows Server 2008 R2 and as an optional feature as part of the Remote Server Administration Tools (RSAT) for Windows Windows 7. For Windows Vista and Windows Server 2008, the BitLocker Active Directory Recovery Password Viewer is an optional download.
Requires at least:
- At least one Windows Server 2008 or Windows Server 2008 R2-based Domain Controller, configured as Global Catalog (GC) server
- At least one Windows Server 2008 or Windows Server 2008 R2-based Domain Naming System (DNS) Server
- Windows Server 2003 native Domain Functional Level (Windows Server 2008 R2 Domain Functional Level is required when optionally, but recommended, using Smart Card authorization for DirectAccess)
- Active Directory Certificate Services
- Domain Administrator rights to set up DirectAccess
DirectAccess is a feature in Windows 7 Ultimate and Windows 7 Enterprise that allows end users to gain transparent secure access to the corporate network through a Windows Server 2008 R2-based DirectAccess server, utilizing (under the hood) IPv6 and certificates.
DirectAccess clients and servers need to access an IPv6-capable domain controller and Global Catalog (GC) running Windows Server 2008 or Windows Server 2008 R2 on the internal network. Of course these servers may use the (default) dual stack (IPv4 and IPv6 side-by-side) configuration.
To accommodate a Windows 2008 or Windows Server 2008 R2 domain controller, your domain functional level must be at least Windows 2003 Native.
Last but not least, the DirectAccess server, itself, needs to run Windows Server 2008 R2 and be connected to the Internet using two (consecutive) IPv4 addresses.