I needed to install a test enviroment for Microsoft BitLocker Administration (MBAM) 1.0, to test an upgrade to 2.5 SP1.
Here is a short guide how to install and configure Microsoft BitLocker Administration (MBAM) 1.0.
Requirements:
- Windows Server 2008 R2
- Microsoft SQL Server 2008 R2 (with SP2)
- Microsoft SQL Server Reporting Services 2008 R2 (with SP2)
- Desktop Optimization Pack 2015 (MDOP)
Installation:
First of all, we need to install the .NET 3.5.1 Framework, this can be done by running the following in a PowerShell shell
|
1 |
Dism /online /enable-feature /featurename:NetFX3 /All /Source:"<Win2008 R2 Installations Media>" /LimitAccess |
Next you will need to install the prerequisites for MBAM.
- Roles
- Web Server (IIS)
- Common HTTP Features
- Static Content
- Default Document
- Application Development
- ASP.NET
- .NET Extensibility
- ISAPI Extensions
- ISAPI Filters
- Security
- Windows Authentication
- Request Filtering
- Common HTTP Features
- Web Server (IIS)
- Features
- Microsoft .NET Framework 3.5.1
- WCF Activation
- HTTP Activation
- Non-HTTP Activation
- Windows Process Activation Service
- Process Model
- .NET Environment
- Configuration API
- WCF Activation
- Microsoft .NET Framework 3.5.1
Run the following PowerShell command to install all of above.
|
1 |
Add-WindowsFeature Web-Server, Web-Static-Content, Web-Default-Doc, Web-App-Dev, Web-Asp-Net, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Security, Web-Windows-Auth, Web-Filtering, NET-Framework, NET-Framework-Core, NET-HTTP-Activation, NET-Non-HTTP-Activ, WAS, WAS-Process-Model, WAS-NET-Environment, WAS-Config-APIs |
Now we need to install the SQL services on the machine. Mount the Microsoft SQL Server 2008 R2 media, and run the following.
I have the following disk layout for almost all my database servers.
- Drive:\ – (Mount Point)
- Drive:\MSSQL\SystemDB – (SQL Data Directory)
- Drive:\MSSQL\TempDB – (SQL Temp DB)
- Drive:\MSSQL\TempDB\Data – (SQL Temp DB – Data)
- Drive:\MSSQL\TempDB\Log – (SQL Temp DB – Log)
- Drive:\MSSQL\Data – (User databases – Data)
- Drive:\MSSQL\Log – (User databases – Log)
I’m also using 3 different service accounts for SQL Engine, SQL Agent and SQL Reporting Service.
Now run the following in a cmd.exe, change it to your needs.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
setup.exe /QS /IACCEPTSQLSERVERLICENSETERMS /ACTION=Install /INDICATEPROGRESS ^ /FEATURES=SQL,RS,ADV_SSMS,Conn ^ /SECURITYMODE=SQL ^ /SAPWD="[SQL SA - CODE HERE]" ^ /INSTANCENAME=INS01 ^ /INSTANCEID=INS01 ^ /AGTSVCACCOUNT="[SQL Agent - Service Account]" ^ /AGTSVCPASSWORD="[SQL Agent - CODE HERE]" ^ /AGTSVCSTARTUPTYPE="Automatic" ^ /BROWSERSVCSTARTUPTYPE="Automatic" ^ /SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS" ^ /SQLSVCACCOUNT="[SQL Engine - Service Account]" ^ /SQLSVCPASSWORD="[SQL Engine - CODE HERE]" ^ /SQLBACKUPDIR="D:\MSSQL\Data\Backup" ^ /INSTALLSQLDATADIR="D:\MSSQL\SystemDB" ^ /SQLTEMPDBDIR="D:\MSSQL\TempDB\Data" ^ /SQLTEMPDBLOGDIR="D:\MSSQL\TempDB\Log" ^ /SQLUSERDBDIR="D:\MSSQL\Data" ^ /SQLUSERDBLOGDIR="D:\MSSQL\Log" ^ /RSSVCStartupType="Automatic" ^ /RSSVCACCOUNT="[SQL SSRS - Service Account]" ^ /RSSVCPASSWORD="[SQL SSRS - CODE HERE]" ^ /SQLSYSADMINACCOUNTS="[SQL - Admin AD Group]" ^ |
After the SQL Server installation, please update to the latest service pack (which is SP3), you can use the following command in a cmd.exe terminal.
|
1 |
SQLServer2008R2SP3-KB2979597-x64-ENU.exe /qs /IAcceptSQLServerLicenseTerms /Action=Patch /AllInstances |
Configuration:
Now change the SQL TCP port to 1433, here’s a script (PowerShell) that can do it for you.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 |
function Set-SQLTCPPort ($SQLName , $Instance, $port) { Try { $SQLName $Instance # Load SMO Wmi.ManagedComputer assembly [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SqlServer.SqlWmiManagement") | out-null Trap { $err = $_.Exception while ( $err.InnerException ) { $err = $err.InnerException write-output $err.Message } continue } # Connect to the instance using SMO $m = New-Object ('Microsoft.SqlServer.Management.Smo.Wmi.ManagedComputer') $SQLName $urn = "ManagedComputer[@Name='$SQLName']/ServerInstance[@Name='$Instance']/ServerProtocol[@Name='Tcp']" $Tcp = $m.GetSmoObject($urn) $Enabled = $Tcp.IsEnabled #Enable TCP/IP if not enabled IF (!$Enabled) {$Tcp.IsEnabled = $true } #Set to listen on 50000 and disable dynamic ports $m.GetSmoObject($urn + "/IPAddress[@Name='IPAll']").IPAddressProperties[1].Value = $port $m.GetSmoObject($urn + "/IPAddress[@Name='IPAll']").IPAddressProperties['TcpDynamicPorts'].Value = '' $TCP.alter() "Success: SQL set to listen on TCP/IP port $port. Please restart the SQL service for changes to take effect." Write-Host "Stopping Instance" Stop-Service -Name ("MSSQL$" + $Instance) -Force Write-Host "Starting Instance" Start-Service -Name ("MSSQL$" + $Instance) } Catch { Write-Warning "Unable to enable TCP/IP & set SQL to listen on port $port" } } "Changing TCP port to $port..." Set-SQLTCPPort "[Server Name]" "[Instance Name]" "1433" |
Now we need to configure the Reporting Service.
- Open “Reporting Services Configuration Manager” default located at “C:\Program Files (x86)\Microsoft SQL Server\100\Tools\Binn\RSConfigTool.exe“.
- Connect to your reporting instance, click “Connect“.
- Creating new report databases:
- Navigate to “Database” and click on “Change database“.
- Mark “Create a new report server database.”, and click “Next“.
- Choose the database server instance, click “Next“.
- Choose “Native Mode” and maybe change your database name to “MBAM_ReportServer“, click “Next“.
- Click “Next” until you finish the wizard.
- Setup Web Service URL:
- Navigate to “Web Service URL” and change your virtual directory name to “ReportServer“. Click “Apply“.
- Setup Report Manager URL:
- Navigate to “Report Manager URL“, and change your virtual directory name to “Reports“. Click “Apply“.
Before we can run the MBAM installer, we need to set a master key encryption on the database server.
- Open “SSMS.exe“, and connect to the SQL Server instance.
- Execute the following statement against the master database.
12USE masterCREATE MASTER KEY ENCRYPTION BY PASSWORD = 'MyPassword'
We are now able to install the MBAM service, you can get the MDOP that contains the MBAM setup files with your MSDN or VLSC account.
- Run the “MbamSetup.exe” (64-bit).
- Click on “Start“.
- Accept the terms and conditions, click “Next”.
- If the prequirements test succeed, choose if you want encryption in your installation. Choose the certificate and click “Next“.
- If you choose encryption, make sure that your SQL Engine service account is able to read the certificate.
- run “MMC.exe” -> “File” -> Choose “Add/Remove Snap-in” -> Add “Certificates” -> Choose “Computer Account” -> Click “Next” and “Finish” -> “OK“.
- Navigate to “Certificates” -> “Personal” -> “Certificates” -> Right click on the certificate -> “All Tasks” then “Manage Private Keys” -> Add your SQL Engine account with “Full Control“.
- Verify the database configuration page, and click “Next“.
- Choose your service account (remember to make it sysadmin on the database) that needs to run the web application pool.
- Configure the TCP IP port binding, host name and installation path for the web application. Click “Next“.
- Go through the wizard until the installation is completed.