Latest posts by Kyle Beckman (see all)
- Managing shared mailboxes in Office 365 with PowerShell - Thu, May 5 2016
- Managing shared mailboxes in Office 365 with the GUI - Wed, May 4 2016
- Installing and configuring the Enhanced Mitigation Experience Toolkit (EMET) - Wed, Mar 16 2016
If you installed a Domain Controller running Windows Server 2008 Beta 3 or later (Yes, this was taken directly from Microsoft documentation… I hope you didn’t have a DC running a beta product in your production Forest!), the required schema extensions here have already been performed.
Updating the Active Directory Schema for BitLocker ^
You can check to see if the attributes are available by running ASDI Edit and looking for the BitLocker recovery object CN=ms-FVE-RecoveryInformation. This should give you an idea of what you’ll see: Screenshot 1 is a Windows Server 2003R2 SP2 Domain Controller; screenshot 2 is a Windows Server 2008R2 SP2 Domain Controller. As you can see, the Server 2008R2 DC has the required schema extensions and the Server 2003R2 DC does not.
BitLocker Active Directory - Windows Server 2003 R2 DC Schema
BitLocker Active Directory - Windows 2008 R2 DC Schema
Assuming you need a schema update, run the command:
ldifde -i -v -f BitLockerTPMSchemaExtension.ldf -c "DC=X" "DC=atl,dc=trekker,dc=net" -k -j
Just a few notes since I’ve hit these snags just about every time I’ve done this: first off, you’ll obviously need to change the domain to your domain; make sure you include the fully qualified domain name. Second, leave the DC=X option as is… don’t mess with it. Lastly, don’t miss the trailing period or the command will fail. Assuming everything goes well, you should get a “The command has completed successfully.” Checking in on my Windows Server 2003R2 DC, you’ll see that the schema extensions are now a part of AD:
BitLocker Active Directory - Windows Server 2003 R2 DC with Schema Update
Set ACE for Backing up TPM Information ^
If you want to backup TPM owner information, you’ll need to add an additional access control entry (ACE). To do so, run the following command:
Hopefully, you’ll get the same success message I got:
Bitlocker Active Directory - ACE Update Success
Installing the BitLocker Password Recovery Viewer ^
To view your BitLocker recovery information in Active Directory, you’ll need to install the BitLocker Password Recovery Viewer. The BitLocker Password Recovery Viewer is essentially a plugin for Active Directory Users and Computers that adds an additional tab to any Computer objects’ properties. Like any other feature of Windows Server, the BitLocker Password Recovery Viewer must be turned on in the Server Manager. In the Server Manager, go to Features (in the left hand column), and click on Add Features.
BitLocker Active Directory - Server Manager Add Feature
In the Add Features Wizard, scroll down to Remote Server Administration Tools, Feature Administration Tools, BitLocker Drive Encryption Administration Utilities, check BitLocker Recovery Password Viewer, click Next, and click Install.
BitLocker Active Directory - Add Features Wizard
Now, go into Active Directory Users and Computers. Find any computer object and double-click on it to open the Properties. You should now see a BitLocker Recovery tab in the Computer Properties.
BitLocker Active Directory - ADUC Comp Properties with BitLocker Tab
Note: The instructions above are for Windows Server 2008 R2. If you are managing your Active Directory with a Windows 7 Workstation, first install the Remote Server Administration Tools (http://www.microsoft.com/download/en/details.aspx?id=7887) if you don’t already have them installed. Next, go to the Control Panel, Program & Features, Turn Windows Features on or off. Scroll down to Remote Server Administration Tools, Feature Administration Tools, check BitLocker Password Recovery Viewer, and click OK to install.
BitLocker Password Recovery Viewer