Extending Active Directory Schema for Bitlocker recovery information

Hi

I'm performing the BitLocker Active Directory schema extension with the
commands and files described in the "Configuring Active Directory to Back up
Windows BitLocker Drive Encryption and Trusted Platform Module Recovery
Information". However ldifde stops at step 13 and gives the following error:

------------------------------------------------------------------------------------------------------------------------
13:
CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=testdomain,dc=com
Entry DN:
CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=testdomain,dc=com
changetype: modify
Attribute 0) searchFlags:152

Add error on line 223: Unwilling To Perform
The server side error is "The search flags for the attribute are invalid.
The ANR bit is valid only on attributes of Unicode or Teletex strings."
6 entries modified successfully.
An error has occurred in the program
------------------------------------------------------------------------------------------------------------------------

Btw, line 223 in the ldif file is the first line above "13:
CN=ms-TPM-OwnerInformation,CN..."

Anyone experienced this?


Thanks.


/Ragnar

Your DC's at SP1?


"Ragnar" <Ragnar@noemail.noemail> wrote in message
news:87B133D5-CE85-46AA-9A7E-ADB74C2D7E4A@microsoft.com...
> Hi
>
> I'm performing the BitLocker Active Directory schema extension with the
> commands and files described in the "Configuring Active Directory to Back
> up Windows BitLocker Drive Encryption and Trusted Platform Module Recovery
> Information". However ldifde stops at step 13 and gives the following
> error:
>
> ------------------------------------------------------------------------------------------------------------------------
> 13:
> CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=testdomain,dc=com
> Entry DN:
> CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=testdomain,dc=com
> changetype: modify
> Attribute 0) searchFlags:152
>
> Add error on line 223: Unwilling To Perform
> The server side error is "The search flags for the attribute are invalid.
> The ANR bit is valid only on attributes of Unicode or Teletex strings."
> 6 entries modified successfully.
> An error has occurred in the program
> ------------------------------------------------------------------------------------------------------------------------
>
> Btw, line 223 in the ldif file is the first line above "13:
> CN=ms-TPM-OwnerInformation,CN..."
>
> Anyone experienced this?
>
>
> Thanks.
>
>
> /Ragnar

Yes, the environment meets all requirements as described in the
documentation, including SP1 (I have R2)...

/Ragnar



".Josh" <josh@win-nospam-dowsconnected.com> wrote in message
news:46392DCB-CF3B-4282-9C19-1CDCE1F30139@microsoft.com...
> Your DC's at SP1?
>
>
> "Ragnar" <Ragnar@noemail.noemail> wrote in message
> news:87B133D5-CE85-46AA-9A7E-ADB74C2D7E4A@microsoft.com...
>> Hi
>>
>> I'm performing the BitLocker Active Directory schema extension with the
>> commands and files described in the "Configuring Active Directory to Back
>> up Windows BitLocker Drive Encryption and Trusted Platform Module
>> Recovery Information". However ldifde stops at step 13 and gives the
>> following error:
>>
>> ------------------------------------------------------------------------------------------------------------------------
>> 13:
>> CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=testdomain,dc=com
>> Entry DN:
>> CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=testdomain,dc=com
>> changetype: modify
>> Attribute 0) searchFlags:152
>>
>> Add error on line 223: Unwilling To Perform
>> The server side error is "The search flags for the attribute are invalid.
>> The ANR bit is valid only on attributes of Unicode or Teletex strings."
>> 6 entries modified successfully.
>> An error has occurred in the program
>> ------------------------------------------------------------------------------------------------------------------------
>>
>> Btw, line 223 in the ldif file is the first line above "13:
>> CN=ms-TPM-OwnerInformation,CN..."
>>
>> Anyone experienced this?
>>
>>
>> Thanks.
>>
>>
>> /Ragnar
>

Hi,

Open the ADSI Edit(using adsiedit.msc) and check the availability
of searchFlags and their Syntax & Value.
Schema --> CN=Schema, CN=configuration,DC=testdomain,dc=com. Right
click and click Properties of the "CN=ms-TPM-OwnerInformation" object.
The searchFlags Attribute Syntax should be "Integer" and their value
should be 136(which will be changed to 152).

Adam,
ADManager Plus Team.


On Feb 18, 11:21 pm, "Ragnar" <Rag...@noemail.noemail> wrote:
> Yes, the environment meets all requirements as described in the
> documentation, including SP1 (I have R2)...
>
> /Ragnar
>
> ".Josh" <j...@win-nospam-dowsconnected.com> wrote in message
>
> news:46392DCB-CF3B-4282-9C19-1CDCE1F30139@microsoft.com...
>
> > Your DC's at SP1?
>
> > "Ragnar" <Rag...@noemail.noemail> wrote in message
> >news:87B133D5-CE85-46AA-9A7E-ADB74C2D7E4A@microsoft.com...
> >> Hi
>
> >> I'm performing the BitLocker Active Directory schema extension with the
> >> commands and files described in the "Configuring Active Directory to Back
> >> up Windows BitLocker Drive Encryption and Trusted Platform Module
> >> Recovery Information". However ldifde stops at step 13 and gives the
> >> following error:
>
> >> ------------------------------------------------------------------------------------------------------------------------
> >> 13:
> >> CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=testdomain,dc=com
> >> Entry DN:
> >> CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=testdomain,dc=com
> >> changetype: modify
> >> Attribute 0) searchFlags:152
>
> >> Add error on line 223: Unwilling To Perform
> >> The server side error is "The search flags for the attribute are invalid.
> >> The ANR bit is valid only on attributes of Unicode or Teletex strings."
> >> 6 entries modified successfully.
> >> An error has occurred in the program
> >> ------------------------------------------------------------------------------------------------------------------------
>
> >> Btw, line 223 in the ldif file is the first line above "13:
> >> CN=ms-TPM-OwnerInformation,CN..."
>
> >> Anyone experienced this?
>
> >> Thanks.
>
> >> /Ragnar

Hello

I checked (using adsiedit.msc) the searchFlags attribute for
CN=ms-TPM-OwnerInformation. It said 152, however I'm unable to change to 136
or choose OK when 152 is the value. I then get the following error message:
"The search flags for the attribute are invalid. The ANR bit is valid only
on attributes of Unicode or Teletex strings."

When checking msdn the error code for this message is:
ERROR_DS_INVALID_SEARCH_FLAG
8500

I'm allowed to set the value to 1 and clear the value, but not set to 136 or
152.

The searchFlags attribute syntax is Integer.

Any ideas? Thanks!



/Ragnar


<admp.team@gmail.com> wrote in message
news:1171888905.089602.259340@m58g2000cwm.googlegroups.com...
> Hi,
>
> Open the ADSI Edit(using adsiedit.msc) and check the availability
> of searchFlags and their Syntax & Value.
> Schema --> CN=Schema, CN=configuration,DC=testdomain,dc=com. Right
> click and click Properties of the "CN=ms-TPM-OwnerInformation" object.
> The searchFlags Attribute Syntax should be "Integer" and their value
> should be 136(which will be changed to 152).
>
> Adam,
> ADManager Plus Team.
>
>
> On Feb 18, 11:21 pm, "Ragnar" <Rag...@noemail.noemail> wrote:
>> Yes, the environment meets all requirements as described in the
>> documentation, including SP1 (I have R2)...
>>
>> /Ragnar
>>
>> ".Josh" <j...@win-nospam-dowsconnected.com> wrote in message
>>
>> news:46392DCB-CF3B-4282-9C19-1CDCE1F30139@microsoft.com...
>>
>> > Your DC's at SP1?
>>
>> > "Ragnar" <Rag...@noemail.noemail> wrote in message
>> >news:87B133D5-CE85-46AA-9A7E-ADB74C2D7E4A@microsoft.com...
>> >> Hi
>>
>> >> I'm performing the BitLocker Active Directory schema extension with
>> >> the
>> >> commands and files described in the "Configuring Active Directory to
>> >> Back
>> >> up Windows BitLocker Drive Encryption and Trusted Platform Module
>> >> Recovery Information". However ldifde stops at step 13 and gives the
>> >> following error:
>>
>> >> ------------------------------------------------------------------------------------------------------------------------
>> >> 13:
>> >> CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=testdomain,dc=com
>> >> Entry DN:
>> >> CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=testdomain,dc=com
>> >> changetype: modify
>> >> Attribute 0) searchFlags:152
>>
>> >> Add error on line 223: Unwilling To Perform
>> >> The server side error is "The search flags for the attribute are
>> >> invalid.
>> >> The ANR bit is valid only on attributes of Unicode or Teletex
>> >> strings."
>> >> 6 entries modified successfully.
>> >> An error has occurred in the program
>> >> ------------------------------------------------------------------------------------------------------------------------
>>
>> >> Btw, line 223 in the ldif file is the first line above "13:
>> >> CN=ms-TPM-OwnerInformation,CN..."
>>
>> >> Anyone experienced this?
>>
>> >> Thanks.
>>
>> >> /Ragnar
>
>

Hello Ragnar,

Thank you for using newsgroup!

From your post, you are following the guide article from our website to
configure Active Directory to back up Windows BitLocker drive encryption.
You are encountering an issue when you follow these steps. Please
understand these steps are tested in our original test environment not in
your specific environment. Therefore, we suspect this issue may be related
to your specific AD environment. For this kind of issue, I'd like to
suggest you try the following channels to obtain effective assistance:

Channel 1:
You may also post to the security newsgroup to see if they have any
information to share with you:
microsoft.private.directaccess.security

This is a more appropriate forum for your question where you will get the
most qualified pool of respondents and other partners in the newsgroups who
can either share their knowledge or learn from your interaction with us.

Channel 2:
Please understand if the issue only occurs in your environment, this may be
a complex issue and need more time to troubleshoot this issue. Therefore,
please contact our CSS to support this kind issue. For a complete list of
Microsoft Customer Service and Support (CSS) phone numbers and information
about support costs, please go to the following address on the World Wide
Web:
http://support.microsoft.com/directory/overview.asp

Thanks & Regards,

Ken Zhao

Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security <http://www.microsoft.com/security>
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.




--------------------
| From: "Ragnar" <Ragnar@noemail.noemail>
| References: <87B133D5-CE85-46AA-9A7E-ADB74C2D7E4A@microsoft.com>
<46392DCB-CF3B-4282-9C19-1CDCE1F30139@microsoft.com>
<244F2C49-1223-4989-939A-7477D75FD59B@microsoft.com>
<1171888905.089602.259340@m58g2000cwm.googlegroups.com>
| In-Reply-To: <1171888905.089602.259340@m58g2000cwm.googlegroups.com>
| Subject: Re: Extending Active Directory Schema for Bitlocker recovery
information
| Date: Mon, 19 Feb 2007 20:04:46 +0100
| Lines: 91
| Message-ID: <8D1C7BE6-1503-4E6D-8341-3BF3A9E5EBF1@microsoft.com>
| MIME-Version: 1.0
| Content-Type: text/plain;
| format=flowed;
| charset="iso-8859-1";
| reply-type=original
| Content-Transfer-Encoding: 7bit
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Windows Mail 6.0.6000.16386
| X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6000.16386
| X-MS-CommunityGroup-PostID: {8D1C7BE6-1503-4E6D-8341-3BF3A9E5EBF1}
| X-MS-CommunityGroup-ThreadID: 87B133D5-CE85-46AA-9A7E-ADB74C2D7E4A
| X-MS-CommunityGroup-ParentID: 070253AA-3D53-4F47-A240-A47A58479B34
| Newsgroups:
microsoft.public.windows.server.active_directory,microsoft.public.windows.vi
sta.general,microsoft.public.windows.vista.security
| Path: TK2MSFTNGHUB02.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.vista.general:42895
microsoft.public.windows.vista.security:1961
microsoft.public.windows.server.active_directory:8388
| NNTP-Posting-Host: TK2MSFTNGHUB02.phx.gbl 127.0.0.1
| X-Tomcat-NG: microsoft.public.windows.vista.general
|
| Hello
|
| I checked (using adsiedit.msc) the searchFlags attribute for
| CN=ms-TPM-OwnerInformation. It said 152, however I'm unable to change to
136
| or choose OK when 152 is the value. I then get the following error
message:
| "The search flags for the attribute are invalid. The ANR bit is valid
only
| on attributes of Unicode or Teletex strings."
|
| When checking msdn the error code for this message is:
| ERROR_DS_INVALID_SEARCH_FLAG
| 8500
|
| I'm allowed to set the value to 1 and clear the value, but not set to 136
or
| 152.
|
| The searchFlags attribute syntax is Integer.
|
| Any ideas? Thanks!
|
|
|
| /Ragnar
|
|
| <admp.team@gmail.com> wrote in message
| news:1171888905.089602.259340@m58g2000cwm.googlegroups.com...
| > Hi,
| >
| > Open the ADSI Edit(using adsiedit.msc) and check the availability
| > of searchFlags and their Syntax & Value.
| > Schema --> CN=Schema, CN=configuration,DC=testdomain,dc=com. Right
| > click and click Properties of the "CN=ms-TPM-OwnerInformation" object.
| > The searchFlags Attribute Syntax should be "Integer" and their value
| > should be 136(which will be changed to 152).
| >
| > Adam,
| > ADManager Plus Team.
| >
| >
| > On Feb 18, 11:21 pm, "Ragnar" <Rag...@noemail.noemail> wrote:
| >> Yes, the environment meets all requirements as described in the
| >> documentation, including SP1 (I have R2)...
| >>
| >> /Ragnar
| >>
| >> ".Josh" <j...@win-nospam-dowsconnected.com> wrote in message
| >>
| >> news:46392DCB-CF3B-4282-9C19-1CDCE1F30139@microsoft.com...
| >>
| >> > Your DC's at SP1?
| >>
| >> > "Ragnar" <Rag...@noemail.noemail> wrote in message
| >> >news:87B133D5-CE85-46AA-9A7E-ADB74C2D7E4A@microsoft.com...
| >> >> Hi
| >>
| >> >> I'm performing the BitLocker Active Directory schema extension with
| >> >> the
| >> >> commands and files described in the "Configuring Active Directory
to
| >> >> Back
| >> >> up Windows BitLocker Drive Encryption and Trusted Platform Module
| >> >> Recovery Information". However ldifde stops at step 13 and gives the
| >> >> following error:
| >>
| >> >>
----------------------------------------------------------------------------
--------------------------------------------
| >> >> 13:
| >> >>
CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=testdomain,dc=com
| >> >> Entry DN:
| >> >>
CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=testdomain,dc=com
| >> >> changetype: modify
| >> >> Attribute 0) searchFlags:152
| >>
| >> >> Add error on line 223: Unwilling To Perform
| >> >> The server side error is "The search flags for the attribute are
| >> >> invalid.
| >> >> The ANR bit is valid only on attributes of Unicode or Teletex
| >> >> strings."
| >> >> 6 entries modified successfully.
| >> >> An error has occurred in the program
| >> >>
----------------------------------------------------------------------------
--------------------------------------------
| >>
| >> >> Btw, line 223 in the ldif file is the first line above "13:
| >> >> CN=ms-TPM-OwnerInformation,CN..."
| >>
| >> >> Anyone experienced this?
| >>
| >> >> Thanks.
| >>
| >> >> /Ragnar
| >
| >
|
|

Thanks for your reply.

I don't really know where to find the
microsoft.private.directaccess.security newsgroup. Is it available for
Technet Plus subscribers?

/Ragnar


""Ken Zhao [MSFT]"" <v-kzhao@online.microsoft.com> wrote in message
news:joJOr2KVHHA.2356@TK2MSFTNGHUB02.phx.gbl...
> Hello Ragnar,
>
> Thank you for using newsgroup!
>
> From your post, you are following the guide article from our website to
> configure Active Directory to back up Windows BitLocker drive encryption.
> You are encountering an issue when you follow these steps. Please
> understand these steps are tested in our original test environment not in
> your specific environment. Therefore, we suspect this issue may be related
> to your specific AD environment. For this kind of issue, I'd like to
> suggest you try the following channels to obtain effective assistance:
>
> Channel 1:
> You may also post to the security newsgroup to see if they have any
> information to share with you:
> microsoft.private.directaccess.security
>
> This is a more appropriate forum for your question where you will get the
> most qualified pool of respondents and other partners in the newsgroups
> who
> can either share their knowledge or learn from your interaction with us.
>
> Channel 2:
> Please understand if the issue only occurs in your environment, this may
> be
> a complex issue and need more time to troubleshoot this issue. Therefore,
> please contact our CSS to support this kind issue. For a complete list of
> Microsoft Customer Service and Support (CSS) phone numbers and information
> about support costs, please go to the following address on the World Wide
> Web:
> http://support.microsoft.com/directory/overview.asp
>
> Thanks & Regards,
>
> Ken Zhao
>
> Microsoft Online Support
> Microsoft Global Technical Support Center
>
> Get Secure! - www.microsoft.com/security
> <http://www.microsoft.com/security>
> ====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> ====================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
>
>
> --------------------
> | From: "Ragnar" <Ragnar@noemail.noemail>
> | References: <87B133D5-CE85-46AA-9A7E-ADB74C2D7E4A@microsoft.com>
> <46392DCB-CF3B-4282-9C19-1CDCE1F30139@microsoft.com>
> <244F2C49-1223-4989-939A-7477D75FD59B@microsoft.com>
> <1171888905.089602.259340@m58g2000cwm.googlegroups.com>
> | In-Reply-To: <1171888905.089602.259340@m58g2000cwm.googlegroups.com>
> | Subject: Re: Extending Active Directory Schema for Bitlocker recovery
> information
> | Date: Mon, 19 Feb 2007 20:04:46 +0100
> | Lines: 91
> | Message-ID: <8D1C7BE6-1503-4E6D-8341-3BF3A9E5EBF1@microsoft.com>
> | MIME-Version: 1.0
> | Content-Type: text/plain;
> | format=flowed;
> | charset="iso-8859-1";
> | reply-type=original
> | Content-Transfer-Encoding: 7bit
> | X-Priority: 3
> | X-MSMail-Priority: Normal
> | X-Newsreader: Microsoft Windows Mail 6.0.6000.16386
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6000.16386
> | X-MS-CommunityGroup-PostID: {8D1C7BE6-1503-4E6D-8341-3BF3A9E5EBF1}
> | X-MS-CommunityGroup-ThreadID: 87B133D5-CE85-46AA-9A7E-ADB74C2D7E4A
> | X-MS-CommunityGroup-ParentID: 070253AA-3D53-4F47-A240-A47A58479B34
> | Newsgroups:
> microsoft.public.windows.server.active_directory,microsoft.public.windows.vi
> sta.general,microsoft.public.windows.vista.security
> | Path: TK2MSFTNGHUB02.phx.gbl
> | Xref: TK2MSFTNGHUB02.phx.gbl
> microsoft.public.windows.vista.general:42895
> microsoft.public.windows.vista.security:1961
> microsoft.public.windows.server.active_directory:8388
> | NNTP-Posting-Host: TK2MSFTNGHUB02.phx.gbl 127.0.0.1
> | X-Tomcat-NG: microsoft.public.windows.vista.general
> |
> | Hello
> |
> | I checked (using adsiedit.msc) the searchFlags attribute for
> | CN=ms-TPM-OwnerInformation. It said 152, however I'm unable to change to
> 136
> | or choose OK when 152 is the value. I then get the following error
> message:
> | "The search flags for the attribute are invalid. The ANR bit is valid
> only
> | on attributes of Unicode or Teletex strings."
> |
> | When checking msdn the error code for this message is:
> | ERROR_DS_INVALID_SEARCH_FLAG
> | 8500
> |
> | I'm allowed to set the value to 1 and clear the value, but not set to
> 136
> or
> | 152.
> |
> | The searchFlags attribute syntax is Integer.
> |
> | Any ideas? Thanks!
> |
> |
> |
> | /Ragnar
> |
> |
> | <admp.team@gmail.com> wrote in message
> | news:1171888905.089602.259340@m58g2000cwm.googlegroups.com...
> | > Hi,
> | >
> | > Open the ADSI Edit(using adsiedit.msc) and check the availability
> | > of searchFlags and their Syntax & Value.
> | > Schema --> CN=Schema, CN=configuration,DC=testdomain,dc=com. Right
> | > click and click Properties of the "CN=ms-TPM-OwnerInformation" object.
> | > The searchFlags Attribute Syntax should be "Integer" and their value
> | > should be 136(which will be changed to 152).
> | >
> | > Adam,
> | > ADManager Plus Team.
> | >
> | >
> | > On Feb 18, 11:21 pm, "Ragnar" <Rag...@noemail.noemail> wrote:
> | >> Yes, the environment meets all requirements as described in the
> | >> documentation, including SP1 (I have R2)...
> | >>
> | >> /Ragnar
> | >>
> | >> ".Josh" <j...@win-nospam-dowsconnected.com> wrote in message
> | >>
> | >> news:46392DCB-CF3B-4282-9C19-1CDCE1F30139@microsoft.com...
> | >>
> | >> > Your DC's at SP1?
> | >>
> | >> > "Ragnar" <Rag...@noemail.noemail> wrote in message
> | >> >news:87B133D5-CE85-46AA-9A7E-ADB74C2D7E4A@microsoft.com...
> | >> >> Hi
> | >>
> | >> >> I'm performing the BitLocker Active Directory schema extension
> with
> | >> >> the
> | >> >> commands and files described in the "Configuring Active Directory
> to
> | >> >> Back
> | >> >> up Windows BitLocker Drive Encryption and Trusted Platform Module
> | >> >> Recovery Information". However ldifde stops at step 13 and gives
> the
> | >> >> following error:
> | >>
> | >> >>
> ----------------------------------------------------------------------------
> --------------------------------------------
> | >> >> 13:
> | >> >>
> CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=testdomain,dc=com
> | >> >> Entry DN:
> | >> >>
> CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=testdomain,dc=com
> | >> >> changetype: modify
> | >> >> Attribute 0) searchFlags:152
> | >>
> | >> >> Add error on line 223: Unwilling To Perform
> | >> >> The server side error is "The search flags for the attribute are
> | >> >> invalid.
> | >> >> The ANR bit is valid only on attributes of Unicode or Teletex
> | >> >> strings."
> | >> >> 6 entries modified successfully.
> | >> >> An error has occurred in the program
> | >> >>
> ----------------------------------------------------------------------------
> --------------------------------------------
> | >>
> | >> >> Btw, line 223 in the ldif file is the first line above "13:
> | >> >> CN=ms-TPM-OwnerInformation,CN..."
> | >>
> | >> >> Anyone experienced this?
> | >>
> | >> >> Thanks.
> | >>
> | >> >> /Ragnar
> | >
> | >
> |
> |
>

Hi Ragnar,

You may contact Microsoft Customer Service and Support (CSS). For the
security newsgroup, it is for Microsoft Partner that need user account and
password.

Thanks & Regards,

Ken Zhao

Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security <http://www.microsoft.com/security>
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.





--------------------
| From: "Ragnar" <Ragnar@noemail.noemail>
| References: <87B133D5-CE85-46AA-9A7E-ADB74C2D7E4A@microsoft.com>
<46392DCB-CF3B-4282-9C19-1CDCE1F30139@microsoft.com>
<244F2C49-1223-4989-939A-7477D75FD59B@microsoft.com>
<1171888905.089602.259340@m58g2000cwm.googlegroups.com>
<8D1C7BE6-1503-4E6D-8341-3BF3A9E5EBF1@microsoft.com>
<joJOr2KVHHA.2356@TK2MSFTNGHUB02.phx.gbl>
| In-Reply-To: <joJOr2KVHHA.2356@TK2MSFTNGHUB02.phx.gbl>
| Subject: Re: Extending Active Directory Schema for Bitlocker recovery
information
| Date: Sat, 24 Feb 2007 09:20:42 +0100
| Lines: 206
| MIME-Version: 1.0
| Content-Type: text/plain;
| format=flowed;
| charset="iso-8859-1";
| reply-type=original
| Content-Transfer-Encoding: 7bit
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Windows Mail 6.0.6000.16386
| X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6000.16386
| Message-ID: <#qnorx#VHHA.1120@TK2MSFTNGP02.phx.gbl>
| Newsgroups: microsoft.public.windows.vista.general
| NNTP-Posting-Host: s1015-0322.dsl.start.no 195.159.141.130
| Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP02.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.vista.general:47182
| X-Tomcat-NG: microsoft.public.windows.vista.general
|
| Thanks for your reply.
|
| I don't really know where to find the
| microsoft.private.directaccess.security newsgroup. Is it available for
| Technet Plus subscribers?
|
| /Ragnar
|
|
| ""Ken Zhao [MSFT]"" <v-kzhao@online.microsoft.com> wrote in message
| news:joJOr2KVHHA.2356@TK2MSFTNGHUB02.phx.gbl...
| > Hello Ragnar,
| >
| > Thank you for using newsgroup!
| >
| > From your post, you are following the guide article from our website to
| > configure Active Directory to back up Windows BitLocker drive
encryption.
| > You are encountering an issue when you follow these steps. Please
| > understand these steps are tested in our original test environment not
in
| > your specific environment. Therefore, we suspect this issue may be
related
| > to your specific AD environment. For this kind of issue, I'd like to
| > suggest you try the following channels to obtain effective assistance:
| >
| > Channel 1:
| > You may also post to the security newsgroup to see if they have any
| > information to share with you:
| > microsoft.private.directaccess.security
| >
| > This is a more appropriate forum for your question where you will get
the
| > most qualified pool of respondents and other partners in the newsgroups
| > who
| > can either share their knowledge or learn from your interaction with us.
| >
| > Channel 2:
| > Please understand if the issue only occurs in your environment, this
may
| > be
| > a complex issue and need more time to troubleshoot this issue.
Therefore,
| > please contact our CSS to support this kind issue. For a complete list
of
| > Microsoft Customer Service and Support (CSS) phone numbers and
information
| > about support costs, please go to the following address on the World
Wide
| > Web:
| > http://support.microsoft.com/directory/overview.asp
| >
| > Thanks & Regards,
| >
| > Ken Zhao
| >
| > Microsoft Online Support
| > Microsoft Global Technical Support Center
| >
| > Get Secure! - www.microsoft.com/security
| > <http://www.microsoft.com/security>
| > ====================================================
| > When responding to posts, please "Reply to Group" via your newsreader so
| > that others may learn and benefit from your issue.
| > ====================================================
| > This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| >
| >
| >
| >
| > --------------------
| > | From: "Ragnar" <Ragnar@noemail.noemail>
| > | References: <87B133D5-CE85-46AA-9A7E-ADB74C2D7E4A@microsoft.com>
| > <46392DCB-CF3B-4282-9C19-1CDCE1F30139@microsoft.com>
| > <244F2C49-1223-4989-939A-7477D75FD59B@microsoft.com>
| > <1171888905.089602.259340@m58g2000cwm.googlegroups.com>
| > | In-Reply-To: <1171888905.089602.259340@m58g2000cwm.googlegroups.com>
| > | Subject: Re: Extending Active Directory Schema for Bitlocker recovery
| > information
| > | Date: Mon, 19 Feb 2007 20:04:46 +0100
| > | Lines: 91
| > | Message-ID: <8D1C7BE6-1503-4E6D-8341-3BF3A9E5EBF1@microsoft.com>
| > | MIME-Version: 1.0
| > | Content-Type: text/plain;
| > | format=flowed;
| > | charset="iso-8859-1";
| > | reply-type=original
| > | Content-Transfer-Encoding: 7bit
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Windows Mail 6.0.6000.16386
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6000.16386
| > | X-MS-CommunityGroup-PostID: {8D1C7BE6-1503-4E6D-8341-3BF3A9E5EBF1}
| > | X-MS-CommunityGroup-ThreadID: 87B133D5-CE85-46AA-9A7E-ADB74C2D7E4A
| > | X-MS-CommunityGroup-ParentID: 070253AA-3D53-4F47-A240-A47A58479B34
| > | Newsgroups:
| >
microsoft.public.windows.server.active_directory,microsoft.public.windows.vi
| > sta.general,microsoft.public.windows.vista.security
| > | Path: TK2MSFTNGHUB02.phx.gbl
| > | Xref: TK2MSFTNGHUB02.phx.gbl
| > microsoft.public.windows.vista.general:42895
| > microsoft.public.windows.vista.security:1961
| > microsoft.public.windows.server.active_directory:8388
| > | NNTP-Posting-Host: TK2MSFTNGHUB02.phx.gbl 127.0.0.1
| > | X-Tomcat-NG: microsoft.public.windows.vista.general
| > |
| > | Hello
| > |
| > | I checked (using adsiedit.msc) the searchFlags attribute for
| > | CN=ms-TPM-OwnerInformation. It said 152, however I'm unable to change
to
| > 136
| > | or choose OK when 152 is the value. I then get the following error
| > message:
| > | "The search flags for the attribute are invalid. The ANR bit is valid
| > only
| > | on attributes of Unicode or Teletex strings."
| > |
| > | When checking msdn the error code for this message is:
| > | ERROR_DS_INVALID_SEARCH_FLAG
| > | 8500
| > |
| > | I'm allowed to set the value to 1 and clear the value, but not set to
| > 136
| > or
| > | 152.
| > |
| > | The searchFlags attribute syntax is Integer.
| > |
| > | Any ideas? Thanks!
| > |
| > |
| > |
| > | /Ragnar
| > |
| > |
| > | <admp.team@gmail.com> wrote in message
| > | news:1171888905.089602.259340@m58g2000cwm.googlegroups.com...
| > | > Hi,
| > | >
| > | > Open the ADSI Edit(using adsiedit.msc) and check the availability
| > | > of searchFlags and their Syntax & Value.
| > | > Schema --> CN=Schema, CN=configuration,DC=testdomain,dc=com. Right
| > | > click and click Properties of the "CN=ms-TPM-OwnerInformation"
object.
| > | > The searchFlags Attribute Syntax should be "Integer" and their value
| > | > should be 136(which will be changed to 152).
| > | >
| > | > Adam,
| > | > ADManager Plus Team.
| > | >
| > | >
| > | > On Feb 18, 11:21 pm, "Ragnar" <Rag...@noemail.noemail> wrote:
| > | >> Yes, the environment meets all requirements as described in the
| > | >> documentation, including SP1 (I have R2)...
| > | >>
| > | >> /Ragnar
| > | >>
| > | >> ".Josh" <j...@win-nospam-dowsconnected.com> wrote in message
| > | >>
| > | >> news:46392DCB-CF3B-4282-9C19-1CDCE1F30139@microsoft.com...
| > | >>
| > | >> > Your DC's at SP1?
| > | >>
| > | >> > "Ragnar" <Rag...@noemail.noemail> wrote in message
| > | >> >news:87B133D5-CE85-46AA-9A7E-ADB74C2D7E4A@microsoft.com...
| > | >> >> Hi
| > | >>
| > | >> >> I'm performing the BitLocker Active Directory schema extension
| > with
| > | >> >> the
| > | >> >> commands and files described in the "Configuring Active
Directory
| > to
| > | >> >> Back
| > | >> >> up Windows BitLocker Drive Encryption and Trusted Platform
Module
| > | >> >> Recovery Information". However ldifde stops at step 13 and
gives
| > the
| > | >> >> following error:
| > | >>
| > | >> >>
| >
----------------------------------------------------------------------------
| > --------------------------------------------
| > | >> >> 13:
| > | >> >>
| >
CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=testdomain,dc=com
| > | >> >> Entry DN:
| > | >> >>
| >
CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=testdomain,dc=com
| > | >> >> changetype: modify
| > | >> >> Attribute 0) searchFlags:152
| > | >>
| > | >> >> Add error on line 223: Unwilling To Perform
| > | >> >> The server side error is "The search flags for the attribute are
| > | >> >> invalid.
| > | >> >> The ANR bit is valid only on attributes of Unicode or Teletex
| > | >> >> strings."
| > | >> >> 6 entries modified successfully.
| > | >> >> An error has occurred in the program
| > | >> >>
| >
----------------------------------------------------------------------------
| > --------------------------------------------
| > | >>
| > | >> >> Btw, line 223 in the ldif file is the first line above "13:
| > | >> >> CN=ms-TPM-OwnerInformation,CN..."
| > | >>
| > | >> >> Anyone experienced this?
| > | >>
| > | >> >> Thanks.
| > | >>
| > | >> >> /Ragnar
| > | >
| > | >
| > |
| > |
| >
|
|