Have you ever considered running BitLocker to encrypt the drives within a Virtual Machine running on, e.g. Hyper-V or VMWare? On the face of it, it seems a sensible thing to do, especially considering how portable VHDX and VMDK files are. Despite the process of enabling BitLocker for VMs being described online, you should be aware that it is not actually supported.
The Microsoft support statement is here:
Can I use BitLocker within a virtual machine operating environment?
BitLocker is not supported for use within a virtual machine. Do not run BitLocker Drive Encryption within a virtual machine. You can use BitLocker in the virtual machine management operating system to protect volumes that contain configuration files, virtual hard disks, and snapshots.
The VMWare support statement follows logically from Microsoft’s:
As the operating system vendor does not support this configuration, it is unsupported by VMware in a Player, Workstation, Fusion or ESX/ESXi virtual machine.
In the context of Active Directory Domain Controllers, Microsoft makes the following recommendations for securing virtual domain controllers:
If you implement virtual domain controllers, you should ensure that domain controllers run on separate physical hosts than other virtual machines in the environment. Even if you use a third-party virtualization platform, consider deploying virtual domain controllers on Hyper-V Server in Windows Server 2012 or Windows Server 2008 R2, which provides a minimal attack surface and can be managed with the domain controllers it hosts rather than being managed with the rest of the virtualization hosts. If you implement System Center Virtual Machine Manager (SCVMM) for management of your virtualization infrastructure, you can delegate administration for the physical hosts on which domain controller virtual machines reside and the domain controllers themselves to authorized administrators. You should also consider separating the storage of virtual domain controllers to prevent storage administrators from accessing the virtual machine files.
Source: Best Practices for Securing Active Directory
It will be interesting to see whether Microsoft change their support statement in future versions of Windows. I’ve not seen anything in Windows Server 2012 R2 to indicate a change, so it might be a while yet.