locked
Backup bitlocker recovery key to Active Directory Domain Services(Vista RC1 5728) RRS feed

  • Question

  • I want to backup bitlocker recovery key to Active Directory Domain Services. But appeared some errors.

    First I installed Vista RC1, and joined the client to the domain , the server is windows 2003 server with sp1.

    then I edited group policy in Vista RC1(use command "gpedit.msc", Tree path is "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption")

    and enabled setting "Turn on Bitlocker backup to Active Directory Domain Service".

    In group policy , I also enabled setting "Turn on TPM backup to Active Directory Domain Service"


    But When I entered Control Panel/Bitlocker Driver Encryption, and Turn on BitLocker" , Vista will show a error msg " Can not run. The Active Directory Domain Service forest does not contain the required attributes and classes to hot BitLocker Driver Encryption or Trust Platform Module information"

    Could any one help me ? How to solve the problem  ? I will appreciate you. 

    Friday, October 13, 2006 8:39 AM

Answers

  • This issues in fixed in RTM or build 6000
    Saturday, February 10, 2007 11:27 AM

All replies

  • I think you answered your own question!

    " Can not run. The Active Directory Domain Service forest does not contain the required attributes and classes to hot BitLocker Driver Encryption or Trust Platform Module information"

    In order to administer BitLocker and some advanced WIFI features in Vista you have to upgrade the AD schema to include the necessary classes and attributes... You will then have to use a Vista machine to administer AD as XP workstations will start thowing up errors as they don't 'understand' the updated schema objects.

    If you are playing/testing then fine but DO NOT try this at work - unless you are the only Enterprise Admin!

     

    Friday, October 13, 2006 11:43 AM
  • Mayanweb , Thanks for you replay,  But I do not know how to "upgrade the AD schema to include the necessary classes and attributes"? Should I change or update the setting in windows server 2003??

    you say "You will then have to use a Vista machine to administer AD as XP workstations will start thowing up errors as they don't 'understand' the updated schema objects." I am also puzzle , Could you explain in detail?   Vista  machine is a client , I have joined it to the domain .

    Saturday, October 14, 2006 3:21 PM
  • Microsoft will provide "Add-WriteACEs.vbs" script file that will extend the Active Directory schema.
    However, I think there is already some documentation regarding the schema extension and if you can't wait for the script, you can do implementing the extensions yourself (which is very, very risky!).

    The extension will let you store the bitlocker recovery information data....

    Hope this helped. If you find out anything, please post your info as well.  Thank you.

    Wednesday, October 25, 2006 9:47 AM
  • This issues in fixed in RTM or build 6000
    Saturday, February 10, 2007 11:27 AM