none
Windows Clustering with Bitlocker RRS feed

  • Question

  • Hi,

    We are having a problem with Windows cluster(Windows 2012 R2)with encrypted shared storage as follows:

    At the beginning, all shared storage drives were mounted in the Windows cluster and the failover between 2 cluster nodes were always successful.  Later on,  bitlocker encryption was added to the shared storage by the following methods.

    1) install BitLocker feature in Windows Server on each cluster server
    2) set "AES 256" in "Choose drive encryption method and cipher strength" in group policy ("Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption") on each cluster server

    3) turn on maintenance mode on the clustered disk to be encrypted in failover cluster manager

    4) disable shadow copies on the clustered disk if it is enabled

    5) run powershell

    6) type "manage-bde -on <drive:> -recoverypassword

    7) type "manage-bde <drive:> -protectors -add -sid <clusternode$>

    8) turn on shadow copies of the clustered disk if necessary

    9) turn off maintenance mode of the clustered disk in failover cluster manager

    The above method worked perfectly fine until yesterday.  The cluster failover(for maintenance reason) was unsuccessful and all shared disk failed in the cluster node.  We had to unlock the shared drive by encryption key, removed them from the cluster and decrypt the drives before adding back to the cluster.  We also could not perform the same method mentioned above for encryption in the cluster anymore.  The clustered disk would go to fail state once we performed the same method above. 

    My question is:

    How could we encrypt the shared storage in the cluster node again and prevent it from happening again?

    Thursday, January 23, 2020 3:04 AM

All replies

  • Hi ,

    Please check if the following link if helpful with you:

    BitLocker and Cluster Shared Volumes in Hyper-V Scenarios

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Best Regards,

    Candy


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    Thursday, January 23, 2020 5:48 AM
  • Hi Candy,

    Thanks for your reply.  However, my Windows cluster is a physical server and the link you provided was referring to Hyper-V servers ONLY.   


    Thursday, January 23, 2020 7:39 AM
  • Hi ,

    Thanks for your clarify.

    >>The clustered disk would go to fail state once we performed the same method above. 

    According to your description, the clustered disk works fine now until you enable bitlocker, is it right? 

    If my understanding is right, this issue is more related with Bitlocker. As far as I know, if an error occurs during the setup of BitLocker (e.g. the BitLocker protector is not successfully stored in AD), the cluster disk might fail to unlock, ending in a Failed Status. 

    Since our forum doesn't focus on bitlocker related question, you might have this asked in windows server general forum for better answers:

    https://social.technet.microsoft.com/Forums/Windowsserver/en-US/home?forum=winservergen

    Best Regards,

    Candy


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    Thursday, January 23, 2020 8:13 AM