Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

EFS encryption of VHD files for virtual Domain Controllers

Skip to first unread message

Andre Keartland

Feb 14, 2006, 2:23:31 PM2/14/06
I am investigating the possibility to run several branch office domain
controllers as virtual PCs on Virtual Server 2005. I don't have budget for
dedicated domain controllers, so the Virtual Server solution would be a great
way to manage costs.

I am referring to the Microsoft white paper 'Running Domain Controllers in
Virtual Server 2005'
for guidance. I am especially concerned about security of the VPC domain
controllers, as other admins will have access to the host servers, and I
don't want them taking offline copies of the DC VHD files. This would be a
show-stopper security risk. The original v1.0 (April 2004) of the white
paper stated "Use Encrypting File service (EFS) to encrypt the .vhd image.
This encryption results in an approximately 5% decrease in performance for
the domain controller that is running in the virtual machine." I also saw a
TechEd 2005 presentation on Virtual Server solutions for branch offices,
which gave similiar advice. This would be a perfect solution to my problem.

However, the later version of the same WP (2.0, November 2004) does not
mention the EFS option. I can't find a single other reference anywhere for
or against this option. Is it still supported? Is it advisable? Why was
this advice dropped? I can imagine taking quite a hit in terms of host CPU
and VPC I/O performance. Do I have any other real alternatives?
Andre Keartland
Inobits Consulting Andrew Dugdell

Feb 14, 2006, 9:39:54 PM2/14/06
Hi Andre,

I've experimented with VHDs on EFS (and EFS in VHDs). I can agree with the
5% performance hit.
On consumer class hardware I've seen this as bad as 20%, but personally I
think this is because of poor disk subsystem.

I guess one thing you could try is SYSKey to store your accounts DB on
separate VHD/VFD media (KB 310105) and encrypt that?
Never really thought about it until now.

I've seen a recent reference to support and EFS for VHDs. I will have a
look around and see what I can find.


---- Original Clip ----
"Andre Keartland" <> wrote in

Andre Keartland

Feb 15, 2006, 12:51:28 AM2/15/06
Thanks, I'm going to test both configurations in a lab and post the
performance results here.

I think your idea of splitting out the EDB into a seperate EFS-encrypted VHD
while keeping the OS VHD unencrypted makes a lot of sense on a certain level.
Although someone will be able to steal the OS VHD, there's not much they can
do with it without Dir.edb. I think a significant portion of the VPC I/O
will be page file, boot disk, etc. - leaving this unencrypted should reduce
the strain. The only danger this may introduce, is that someone could take a
copy of the OS VHD, hack into it (e.g. logging on in Directory Services
Restore Mode) then happily copying the AD data out of the encrypted disk.
Harder than with no encryption, but still feasible.

I wonder why Microsoft pulled the EFS guidance? Was there some hidden
pitfall? It would be great if someone from MS could comment.

Andre Keartland
Inobits Consulting Andrew Dugdell

Feb 19, 2006, 2:30:40 AM2/19/06
Hate to be the bearer of bad news but I haven't found any updated support
articles on EFS and VHDs

---- Original Clip ----
"Andrew Dugdell" <andrew> wrote in message

Andre Keartland

Mar 6, 2006, 2:16:30 AM3/6/06
Posting this for reference ...

I also couldn't find any KB articles stating the support status of this
configuration. However, I did come across this article (below) in the
Virtual Server Technical Reference. It seems to be current, as it references
Windows Server 2003 R2, and it clearly states that EFS for VHDs is a
deployment option for added security:

"Virtual Server security and other Windows technologies"

Encrypting File System (EFS). For added security, you can implement EFS on
the host operating system as well as guest operating systems that are running
Windows Server 2003 operating systems. The most efficient way to implement
EFS on all of the guest operating systems is to implement it on the host
operating system instead. This requires fewer system resources, and conveys
the benefits to all resident guest operating systems.

Product(s): Windows Server 2003,Windows Server 2003 R2,Windows Server 2003
with SP1

Andre Keartland
Inobits Consulting

Andre Keartland

Mar 6, 2006, 2:17:57 AM3/6/06
This is a summary of the test results:

· The test system was a desktop class PC (P4 2.4 Hyperthreading, 2 GB
RAM, single IDE disk) so lower spec than what I am looking to run in
production (small server with dual P4, 2 GB RAM, SCSI disks). The host and
VPC ran Windows Server 2003 SP1 and we user Virtual Server 2005 R2. No
significant optimization was done on either host or guest, although we did
load the Virtual Server Additions in the guest. I used separate NICs for
host and virtual machine network connections.

· The virtual machine used a single VHD file connected to a virtual IDE
bus, although I would use virtual SCSI in production.

· We used scripts to simulate a workload of approx. 900 NTLM logons per
second, plus some object create/modify/delete operations and LDAP queries.
Simultaneously we ran some batch file copy jobs against shared folders on the
host, to simulate file server load. The cumulative load was far heavier than
will reasonably be experienced on the planned servers, where branch sites are
all < 150 users.

· Test results showed barely a 5% increase in host CPU utilization when
running at peak load, by comparison to the same load where the VPC was
unencrypted. Either way we couldn’t get the CPU load beyond 45-50% on
average. There was no discernable increase in CPU load on the guest VPC when
using EFS. Disk and memory utilization on the host increased negligibly
after the VHD was encrypted. There was no noticeable degradation of host or
guest performance/responsiveness after the VHD was encrypted.

· I did notice that host CPU utilization spiked when a VPC with EFS
encrypted VHD was started or shut down. I can only assume this was due to
the requirement to initially decrypt the file when it was first opened, then
encrypt information stored in memory back to the file when shutting down the
guest VPC. This made guest startup and shutdown take slightly longer,
although not significantly so.

· Disk utilization on the host system was heavy, as can be expected with
the load described. This was probably the biggest performance constraint on
performance. To optimize a system running Virtual Server, the first priority
must probably be to design an adequate disk sub-system. I recommend using
fast SCSI disks; stay away from RAID-5 (use RAID-1 or RAID-0+1 if you need
fault tolerance); place virtual machines VHDs on separate disks from the host
OS, apps and page-file; use virtual SCSI controllers for VHDs. After this
make sure the server has adequate RAM. CPU capacity is probably the least
important factor affecting Virtual Server performance. Having separate
network adapters for your virtual machine traffic is also a good idea.

· In order to get the VPC to start, I had to configure the Virtual
Server service to run using a service account. This account was then given
access to the EFS-encrypted file, under Advanced EFS options. The same
account was also configured to auto-start the VPC.

All in all, I think the performance impact was quite acceptable. Unless
something comes up, e.g. Microsoft telling me this scenario is now officially
unsupported, I plan to use EFS for all my DCs running on Virtual Server.

Andre Keartland
Inobits Consulting Andrew Dugdell

Mar 7, 2006, 5:13:07 PM3/7/06
Hi Andre, many thanks for posting back your results.

---- Original Clip ----
"Andre Keartland" <> wrote in


Scott P.

Jun 12, 2006, 5:29:01 PM6/12/06
Any chance to get specific details on how this was done in r2?

Was this crazy manual reg change every reboot/startup the only way to do
this? More details would be greatly appreciated. Thanks for the effort!

Scott Andrew Dugdell

Jun 12, 2006, 11:56:04 PM6/12/06
Hi Scott,

There is a little more info further down in the thread A copy of the
snippet is here:

> In order to get the VPC to start, I had to configure the Virtual Server
> service to run using a service account.
> This account was then given access to the EFS-encrypted file, under
> Advanced EFS options.
> The same account was also configured to auto-start the VPC

Let me know if this helps, if not I have some notes from own experiences I
have been meaning to clean up and post

---- Original Clip ----
"Scott P." <> wrote in message

Scott P.

Jun 13, 2006, 8:37:02 AM6/13/06
I think I'm all set now. I didn't have to play around with the Virtual
Server service account, just set the user account within Virtual Server for
the properties of the VS image I want to EFS.

Thanks for your help though.

Any notes may be a good idea to help clarify for others.


0 new messages