BitLocker Drive Encryption and Active Directory
Hello, my name is Manoj Sehgal. I am a Senior Support Escalation Engineer in the Windows group and today’s blog will cover “BitLocker Drive Encryption and Active Directory”
BitLocker Recovery Information (msFVE-RecoveryInformation) can be backed up in Active Directory by configuring GPO for BitLocker.
BitLocker Recovery Information is stored as a child object of the computer object in AD.
To configure GPO, see the blog below: http://blogs.technet.com/b/askcore/archive/2010/02/16/cannot-save-recovery-information-for-bitlocker-in-windows-7.aspx
But there are some tasks, which a system administrator does related to computer objects in AD.
1. Rejoining a machine to the domain.
If you re-join a BitLocker Encrypted machine, to the domain, we do not touch the BitLocker Recovery Information (msFVE-RecoveryInformation attribute). The BitLocker Information remains the same.
You will still see the same BitLocker Recovery Information in AD for the computer object.
2. Renaming a computer which has BitLocker Drive Encryption
If you rename a computer which has BitLocker already turned ON, we do not touch the child objects or the BitLocker Recovery Information. The only key point is the all the BitLocker Recovery information (Recovery Keys) will be listed as child objects of the new computer object.
So when you want to search for Recovery Password for the computer object, use BitLocker Recovery Password Viewer. http://support.microsoft.com/kb/928202
3. Computer Object is deleted from Active Directory.
If you delete a computer object from AD, you will also delete the BitLocker Recovery Information which is a child object.
To restore the deleted computer object, you will have to use AD Restore Mode to retrieve the object
If you are using Windows 2008 R2, configure the AD Recycle Bin
Active Directory Recycle Bin helps minimize directory service downtime by enhancing your ability to preserve and restore accidentally deleted Active Directory objects without restoring Active Directory data from backups, restarting Active Directory Domain Services (AD DS), or rebooting domain controllers. http://technet.microsoft.com/en-us/library/dd392261(WS.10).aspx
I hope the above information would be useful to everyone. Thanks for your time to read the above information.
Senior Support Escalation Engineer
Microsoft Enterprise Platforms Support