Unable to search for BitLocker Recovery Password via BitLocker Recovery Password Viewer


Symptoms


Searches for BitLocker Recovery Information using BitLocker Recovery Password Viewer Add-in option in Active Directory Users and Computers return no results.  However, you are able to right-click the computer object and select the BitLocker Recovery Tab and to view the proper information (figure 1) and able to use Get-BitlockerRecoveryInfo.vbs to retrieve the recovery information from AD (figure 2) (See Reference section below for additional information) 

Figure 1

 

Figure 2

Cause


The environment has or had a Windows 2000 or 2003 domain running with both domain function level (DFL) and forest function level (FFL) at 0 (Windows 2000) or DFL at 2 (Windows 2003) and FFL at 0.  The Active Directory Schema has been extended via adprep /forestprep command to import the schema extensions for 2008 or 2008 R2. (See Reference section below for additional information)

During the 2008/2008 R2 import, specific BitLocker schema attributes were not properly set to replicate to the Global Catalog with the isMemberOfPartialAttributeSet: TRUE flag, specifically the ms-FVE-RecoveryGuid attribute.  This is caused by the schema being extended to 2008 or R2 without the FFL being raised to Windows 2003 prior to the import.  The FFL must be 2003 for the PAS.LDF schema extension to be imported.  The PAS.LDF extension contains 2 attributes related to BitLocker and is included in the support folder of the standard installation media for 2008 or R2.

We can confirm this by exporting out the schema to a text file called out.txt by the following command (modifying the domain as needed):
ldifde -f out.txt -d CN=Schema,CN=configuration,DC=contoso,DC=com -r "(objectClass=*)" -p subtree

Confirming the file out.txt does not contain the attribute isMemberOfPartialAttributeSet attribute for ms-FVE-RecoveryGuid

Below is a chart outlining DFL/FFL scenarios and the resultant state of the ms-FVE-RecoveryGuid attribute.

Domain Functional Level (Prior to schema extension)

Forest Functional Level (Prior to schema extension)

ms-FVE-RecoveryGuid attribute updated properly with isMemberOfPartialAttributeSet: TRUE flag

Windows Server 2000

Windows Server 2000

Not Set

Windows Server 2003

Windows Server 2000

Not Set

Windows Server 2003

Windows Server 2003

Set

 

 

Resolution


 

Method 1

- Open the Active Directory Schema console (See Reference section below for additional information)

- Navigate to Attributes and locate the msFVE-RecoveryGuid (Note spelling)

- Enable “Replicate this attribute to the Global Catalog” (figure 3)

- Click Ok

- Right-click Active Directory Schema and select Reload the Schema (figure 4) (See Reference section below for additional information)

- Retest BitLocker Search

Figure 3

 

Figure 4

Method 2

- Import the PAS.LDF

a.       Open command prompt

b.      Navigate to PAS.LDF directory (schema extension can be found on 2008 or 2008 R2 media)

c.       Run following command (Replace domain specific information as needed)
ldifde -i -v -f PAS.ldf -c "DC=X" "DC=contoso,dc=com" -k -j .

- Follow instructions above to reload the Active Directory schema

- Please note that it is expected that the above import will give an error similar to the one below:


Add error on line 58: Unwilling To Perform

The server side error is "The search flags for the attribute are invalid. The ANR bit is valid only on attributes of Unicode or Teletex strings."

9 entries modified successfully.

An error has occurred in the program

 

More Information


 

Manually importing the BitLocker Schema extension BitLockerTPMSchemaExtension.ldf (See Reference section below for additional information) when environment is in state, will result in error similar to below:

Add error on line 223: Unwilling To Perform

The server side error is "The search flags for the attribute are invalid. The ANR bit is valid only on attributes of Unicode or Teletex strings."

5 entries modified successfully.

An error has occurred in the program

Reference

BitLocker Recovery Password Viewer for Active Directory
http://technet.microsoft.com/en-us/library/dd875531(WS.10).aspx

BitLocker Drive Encryption Configuration Guide: Backing Up BitLocker and TPM Recovery Information to Active Directory
http://technet.microsoft.com/en-us/library/cc766015(WS.10).aspx

Active Directory Functional Levels Technical Reference
http://technet.microsoft.com/en-us/library/cc757019(WS.10).aspx

How to raise Active Directory domain and forest functional levels
http://support.microsoft.com/kb/322692

Install the Active Directory Schema snap-in
http://technet.microsoft.com/en-us/library/cc755885(WS.10).aspx

Add an attribute to the global catalog
http://technet.microsoft.com/en-us/library/cc737521(WS.10).aspx

Reload the schema
http://technet.microsoft.com/en-us/library/cc756742(WS.10).aspx

Appendix D: BitLockerTPMSchemaExtension.ldf File Contents
http://technet.microsoft.com/en-us/library/cc766251(WS.10).aspx