Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.
Searches for BitLocker Recovery Information using BitLocker Recovery Password Viewer Add-in option in Active Directory Users and Computers return no results. However, you are able to right-click the computer object and select the BitLocker Recovery Tab and to view the proper information (figure 1) and able to use Get-BitlockerRecoveryInfo.vbs to retrieve the recovery information from AD (figure 2) (See Reference section below for additional information)
Figure 1
Figure 2
The environment has or had a Windows 2000 or 2003 domain running with both domain function level (DFL) and forest function level (FFL) at 0 (Windows 2000) or DFL at 2 (Windows 2003) and FFL at 0. The Active Directory Schema has been extended via adprep /forestprep command to import the schema extensions for 2008 or 2008 R2. (See Reference section below for additional information)
During the 2008/2008 R2 import, specific BitLocker schema attributes were not properly set to replicate to the Global Catalog with the isMemberOfPartialAttributeSet: TRUE flag, specifically the ms-FVE-RecoveryGuid attribute. This is caused by the schema being extended to 2008 or R2 without the FFL being raised to Windows 2003 prior to the import. The FFL must be 2003 for the PAS.LDF schema extension to be imported. The PAS.LDF extension contains 2 attributes related to BitLocker and is included in the support folder of the standard installation media for 2008 or R2.
We can confirm this by exporting out the schema to a text file called out.txt by the following command (modifying the domain as needed):
ldifde -f out.txt -d CN=Schema,CN=configuration,DC=contoso,DC=com -r "(objectClass=*)" -p subtree
Confirming the file out.txt does not contain the attribute isMemberOfPartialAttributeSet attribute for ms-FVE-RecoveryGuid
Below is a chart outlining DFL/FFL scenarios and the resultant state of the ms-FVE-RecoveryGuid attribute.
Domain Functional Level (Prior to schema extension) | Forest Functional Level (Prior to schema extension) | ms-FVE-RecoveryGuid attribute updated properly with isMemberOfPartialAttributeSet: TRUE flag |
Windows Server 2000 | Windows Server 2000 | Not Set |
Windows Server 2003 | Windows Server 2000 | Not Set |
Windows Server 2003 | Windows Server 2003 | Set |
Method 1
- Open the Active Directory Schema console (See Reference section below for additional information)
- Navigate to Attributes and locate the msFVE-RecoveryGuid (Note spelling)
- Enable “Replicate this attribute to the Global Catalog” (figure 3)
- Click Ok
- Right-click Active Directory Schema and select Reload the Schema (figure 4) (See Reference section below for additional information)
- Retest BitLocker Search
Figure 3
Figure 4
Method 2
- Import the PAS.LDF
a. Open command prompt
b. Navigate to PAS.LDF directory (schema extension can be found on 2008 or 2008 R2 media)
c. Run following command (Replace domain specific information as needed)
ldifde -i -v -f PAS.ldf -c "DC=X" "DC=contoso,dc=com" -k -j .
- Follow instructions above to reload the Active Directory schema
- Please note that it is expected that the above import will give an error similar to the one below:
Add error on line 58: Unwilling To Perform
The server side error is "The search flags for the attribute are invalid. The ANR bit is valid only on attributes of Unicode or Teletex strings."
9 entries modified successfully.
An error has occurred in the program
Manually importing the BitLocker Schema extension BitLockerTPMSchemaExtension.ldf (See Reference section below for additional information) when environment is in state, will result in error similar to below:
Add error on line 223: Unwilling To Perform
The server side error is "The search flags for the attribute are invalid. The ANR bit is valid only on attributes of Unicode or Teletex strings."
5 entries modified successfully.
An error has occurred in the program
Reference
BitLocker Recovery Password Viewer for Active Directory
http://technet.microsoft.com/en-us/library/dd875531(WS.10).aspx
BitLocker Drive Encryption Configuration Guide: Backing Up BitLocker and TPM Recovery Information to Active Directory
http://technet.microsoft.com/en-us/library/cc766015(WS.10).aspx
Active Directory Functional Levels Technical Reference
http://technet.microsoft.com/en-us/library/cc757019(WS.10).aspx
How to raise Active Directory domain and forest functional levels
http://support.microsoft.com/kb/322692
Install the Active Directory Schema snap-in
http://technet.microsoft.com/en-us/library/cc755885(WS.10).aspx
Add an attribute to the global catalog
http://technet.microsoft.com/en-us/library/cc737521(WS.10).aspx
Reload the schema
http://technet.microsoft.com/en-us/library/cc756742(WS.10).aspx
Appendix D: BitLockerTPMSchemaExtension.ldf File Contents
http://technet.microsoft.com/en-us/library/cc766251(WS.10).aspx
Keywords: vkball, kb