?
Solved

Storing Bitlocker recovery information in AD

Posted on 2010-08-13
4
Medium Priority
?
2,799 Views
Last Modified: 2013-11-29
Hello,
I am trying to set up a bitlocker enviroment, so that the recoveryinformation will be stored in active directoy as a child to the specific computer object.

I followed the instructions in Microsofts' "Configuring Active Directory to Back up Windows BitLocker Drive Encryption and Trusted Platform Module Recovery Information".

The unsed infrastrucure encompasses a server 2008 and windows 7 x64 bit clients whith TPM and 2 partitons (one for data and one for OS which for performance reasons isn't going to be encrypted).

In server 2008 the required shemas are already availale but i double checked an could find all required entreis.

             CN= ms-FVE-KeyPackage – attributeSchema object
             CN=ms-FVE-RecoveryGuid – attributeSchema object
             CN=ms-FVE-RecoveryInformation – classSchema object
             CN=ms-FVE-RecoveryPassword – attributeSchema object
             CN=ms-FVE-VolumeGuid – attributeSchema object
             CN=ms-TPM-OwnerInformation – attributeSchema object

Then the required ACE was installed sucessfully.

After that i created a OU for computers that are going to use Bitlocker and linked the following two GPOs and enfroced them:

Computer Configuration ->Administrative Templates -> Windows Components -> BitLocker Drive Encryption -> Require BitLocker backup to AD DS (check box selected)

Computer Configuration -> Administrative Templates -> System ->Trusted Platform Module Services -> Turn on TPM backup to Active Directory (enabled) and Require TPM backup to AD DS check box is selected.

I then made sure that the GPO was replicated to the particular pcs, which is the case (running gpresult /r).

Then i activated the TPM / or changed PWD if it was alread active.

I then encrypted the partiton using manage-bde -on -recoverypassword DRIVE:

I then used Get-BitlockerRecoveryInfo.vbs to see if recovery and TPM is sotred to ad. It only shows the compute object but now recovery information.

I then tried manage-bde -protectors -adbackup DRIEVE: -id (id which was shown after encrytion) which will ersult in "ERROR: Group policy does not permit the storage of recovery information to Active Directory. The operation was notattemted."

Did I miss something?





0
Comment
Question by:img-admin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 6

Expert Comment

by:Vikas Shah
ID: 33428100
0
 

Author Comment

by:img-admin
ID: 33428572
Ah ok, i cann see that this attribute is completely missing also in the domain root.
So the best way is to import the shema manually despite of running 2008 R2.
0
 
LVL 6

Expert Comment

by:Vikas Shah
ID: 33435331
Yep,

Do that and Let me know if you still experience any issues further.

Awaiting Reply,

Regards,
Vikas
0
 

Accepted Solution

by:
img-admin earned 0 total points
ID: 33465282
Hi. The problem was that the setting for "Fixed Data Drives" -> "Choose hwo Bitlocker-proteted fixed drives can be recoverd" wasn't set. There you can endalbe "Save Bitlocker recovery information to AD DS for fixed data drives".

The reason I couldn't see the attributes was that my admin account has delegated right to specific ous only.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
Ever visit a website where you spotted a really cool looking Font, yet couldn't figure out which font family it belonged to, or how to get a copy of it for your own use? This article explains the process of doing exactly that, as well as showing how…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question