How do I use AD DS or Active Directory to back up BitLocker recovery information?
Active Directory Domain Services (AD DS) and Active Directory directory service can be used to store both BitLocker Drive Encryption recovery information and Trusted Platform Module (TPM) owner information.
Storage of BitLocker recovery information in AD DS or Active Directory
BitLocker recovery information is stored in a child object of a computer object in AD DS or Active Directory. That is, the computer object is the container for the BitLocker recovery object. More than one BitLocker recovery object can exist for each computer object because multiple BitLocker-enabled drives can be associated with a computer.
Each BitLocker recovery object on a BitLocker-enabled drive has a unique name and contains a globally unique identifier (GUID) for the recovery password. The name of the BitLocker recovery object is limited to 64 characters because of Active Directory constraints. This name incorporates the recovery password GUID as well as date and time information.
The form of the name is: <Object Creation Date and Time>{<Recovery Password GUID>}
For example: 2005-09-30T17:08:23-08:00{063EA4E1-220C-4293-BA01-4754620A96E7}
The Active Directory common name (CN) for the BitLocker recovery object is ms-FVE-RecoveryInformation and includes attributes such as ms-FVE-RecoveryPassword and ms-FVE-RecoveryGuid.
Storage of TPM owner information in AD DS or Active Directory
There is only one TPM owner password per computer; therefore, the hash of the TPM owner password is stored as an attribute of the computer object in AD DS or Active Directory. It is stored in Unicode. The attribute has the common name (CN) of ms-TPM-OwnerInformation.
Active Directory requirements
To store BitLocker and TPM information in AD DS or Active Directory, all domain controllers must be running Windows Server 2003 with Service Pack 1 or later. Schema extensions also need to be installed on servers running Windows Server 2003.
Step-by-step instructions
For step-by-step instructions for configuring Active Directory and Group Policy to support the storage of recovery and owner information, see BitLocker Drive Encryption Configuration Guide: Backing Up BitLocker and TPM Recovery Information to Active Directory (http://go.microsoft.com/fwlink/?LinkId=140308).
Additional references
- Windows BitLocker Drive Encryption Step-by-Step Guide (http://go.microsoft.com/fwlink/?linkid=140225)
- Windows Trusted Platform Module Step-by-Step Guide (http://go.microsoft.com/fwlink/?linkid=139769)
No comments:
Post a Comment