< Blog

What Not to Do With MBAM and Windows 2003 Domains

By Garth Jones

Several weeks ago I was doing some work with Microsoft BitLocker Administration and Monitoring (MBAM) and setting it up within one of my test labs. This test lab was running Windows Server 2003 as the Primary Domain Controller (PDC) and the language setting was English Canada. I’m telling you this now because you’ll understand why a bit later in this post.

With MBAM, you need an Active Directory (AD) schema change if you are running Windows 2003 domain.

Here’s more information on AD schema change: http://technet.microsoft.com/en-us/library/dd875529(v=WS.10).aspx

In the documentation listed in the above-noted link there is a note that says:

“If you will use a domain controller running Windows Server 2003 with SP1 or SP2, you will need to apply the schema extension (BitLockerTPMSchemaExtension.ldf) to store BitLocker and TPM passwords in Active Directory. This file can be downloaded from the Configuring Active Directory to Back up Windows BitLocker Drive Encryption and Trusted Platform Module Recovery Information download page.”

http://www.microsoft.com/download/details.aspx?id=13432

Since the Primary Domain Control (PDC) in this test lab is Windows 2003, I performed the schema change. Once it was done I reviewed the log files and everything looked great, so I forgot about it.

A week or two later I noticed some odd network issues. Since I was away from my office, I looked at this via the VPN. I noticed that there was a DNS issue and upon researching this some more I noticed an AD issue. This AD issue lead me directly to the Microsoft KB entitled, “Error messages after you install the BitLocker Drive Encryption schema updates in a Windows Server 2003 domain.” http://support.microsoft.com/kb/932862

In this KB there is a note that says if your domain is set to English Canada you need to perform a few steps.

To keep this story short, this didn’t work for me and finally I needed to move and seize the Flexible Single Master Operations (FSMO) roles. This is not a task that anyone wants to do and they most certainly don’t want to do this while VPN’ing to their lab. I waited until I got back to my office and spoke to my friend and AD expert Craig Baltzer @Bittacle.

Finally, I successfully moved and seized the FSMO roles and everything is good again!

As a side note my friend Pierre Roman @pierreroman gave a presentation at TechEd called “DCIM-B367 It’s the End of the World As You Know It… Windows Server 2003 End of Life: Infrastructure Migration.” You can watch it on Channel 9, http://channel9.msdn.com/events/TechEd/NorthAmerica/2014/DCIM-B367#fbid=VOT7xNbvGnj.

Pierre will be happy to know that I no longer have my test lab running with Windows Server 2003!

Oops