Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

You receive an error message when you update the schema to enable BitLocker Drive Encryption recovery information in an Active Directory forest

View products that this article applies to.


In an Active Directory forest, you update the schema to enable BitLocker Drive Encryption recovery information. However, when you use the BitLockerTPMSchemaExtension.ldf file to update the schema, you receive the following error message:
12: CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=ANRCheck, DC=nttest, DC=microsoft, DC=com
Entry DN: CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=ANRCheck, DC=nttest, DC=microsoft, DC=com
changetype: modify
Attribute 0) searchFlags:152

Add error on line 203: Unwilling To Perform
The server side error is "The search flags for the attribute are invalid. The ANR bit is valid only on attributes of Unicode or Teletex strings."
5 entries modified successfully.
An error has occurred in the program

↑ Back to the top


This problem occurs if the following conditions are true:
  • The Active Directory forest in which you are updating the schema contains domain controllers that are running Windows Server 2008.
  • The domain controller that serves as the schema master is running Microsoft Windows Server 2003.

↑ Back to the top


If the domain controller is running the Beta 3 release of Windows Server 2008 or a later version, you do not have to use the BitLockerTPMSchemaExtension.ldf file to update the schema. Windows Server 2008 includes the necessary schema updates to support BitLocker Drive Encryption.

If the domain controller is running a version of Windows Server 2008 that is earlier than Beta 3, transfer the schema master role to a domain controller that is running Windows Server 2008. Then, reapply the schema updates. For more information about how to transfer the schema master role, click the following article number to view the article in the Microsoft Knowledge Base:
324801� How to view and transfer FSMO roles in Windows Server 2003

↑ Back to the top


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top

More information

To obtain the BitLockerTPMSchemaExtension.ldf file, visit the following Microsoft Web site: After you update the Active Directory schema to support BitLocker Drive Encryption, you can back up the recovery information for BitLocker Drive Encryption in Active Directory. For more information, visit the following Microsoft TechNet Web site:

↑ Back to the top

Keywords: kberrmsg, kbtshoot, kbprb, kbexpertiseinter, KB936121

↑ Back to the top

Article Info
Article ID : 936121
Revision : 5
Created on : 10/11/2007
Published on : 10/11/2007
Exists online : False
Views : 347