Hello,
has anyone successfully stored BitLocker drive encryption recovery passwords for PCs in their Samba4 Active Directory?
I seem to be missing the BitLocker scheme in my Samba4 Active Directory:
I'm using Samba version 4.8.5 and a Windows Server 2008 R2 functional domain.
However, I don't get any error messages when I try to save the key to Active Directory:
manage-bde.exe -protectors -adbackup C: -id {xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}
BitLocker Drive Encryption: Configuration Tool Version 10.0.17134
Copyright (C) 2013 Microsoft Corporation. All rights reserved.
Recovery information has been successfully saved to Active Directory.
But no "BitLocker Recovery" tab appears in "Active Directory Users and Computers" from Windows for the machine in question, and nothing else appears with ldbedit on the machine either.
For your information, my Active Directory has been running on Samba since version 4.1 and has been updated over time, which might explain the absence of the BitLocker schema? It also has a basic 2003 functional domain upgraded to 2008R2.
On the Microsoft Active Directory side, the BitLocker schema could be added:
https://docs.microsoft.com/en-us/previo ... 5(v=ws.10)
But it's impossible to download the "BitLockerTPMSchemaExtension.ldf" schema to try adding it to my Active Directory:
https://kidcartouche.blogspot.com/2013/ ... amba4.html
Thank you in advance for your future replies,
Eric
Storing BitLocker encrypted recovery passwords in AD Samba4?
Good morning,
New developments:
=> I do have the Bitlocker scheme for my AD!
=> BitLocker passwords for encrypted machine volumes are indeed stored (provided that the GPO enabling BitLocker password storage on AD is applied)
=> I can also list all BitLocker passwords from the server
# ldbsearch -H /var/lib/samba/private/sam.ldb '(objectclass=msFVE-RecoveryInformation)' msFVE-RecoveryPassword
New passwords are therefore automatically stored in Active Directory as soon as a new volume on a domain PC is encrypted
Also from the machine by right-clicking Enable BitLocker than via remote command line: manage-bde -on C: -RecoveryPassword -SkipHardwareTest -Cn ComputerName
However, I still don't have the tab BitLocker Recovery"in the machine properties using the ADUC tools, whether it's Windows 10 or Windows 7 (advanced features checked)"
New developments:
=> I do have the Bitlocker scheme for my AD!
- AD-samba4-bitlocker-schema.png (2.73 KB) Viewed 10620 times
=> BitLocker passwords for encrypted machine volumes are indeed stored (provided that the GPO enabling BitLocker password storage on AD is applied)
- bitlocker-password.png (2.6 KB) Viewed 10620 times
- bitlocker-password2.png (6 KB) Viewed 10620 times
# ldbsearch -H /var/lib/samba/private/sam.ldb '(objectclass=msFVE-RecoveryInformation)' msFVE-RecoveryPassword
New passwords are therefore automatically stored in Active Directory as soon as a new volume on a domain PC is encrypted
Also from the machine by right-clicking Enable BitLocker than via remote command line: manage-bde -on C: -RecoveryPassword -SkipHardwareTest -Cn ComputerName
However, I still don't have the tab BitLocker Recovery"in the machine properties using the ADUC tools, whether it's Windows 10 or Windows 7 (advanced features checked)"
