Does anyone know whether it is possible to use a central recovery key database (and associated reporting etc.) that includes machines from two seperate domains in two different forests?
My customer has a domain from where they would like to centrally manage the resources from another domain in a seperate Forest and I wondered if this was supported within MBAM.
I can't see anything obvious in the documentation for MBAM so wondered if anyone out there knew if this was possible?Jonathan Conway | My blog: Conway's IT Blog | Twitter:
jonconwayuk | Linkedin:
Jonathan Conway
MCITP: Enterprise Administrator MCP MCSE 2003 MCTS SCCM 2007, Windows 7 Config & Deploying VCP

There is an amazing pack of free network admin tools. click here to download it

Hi,
Based on my understanding, Your purpose cannot be achieved.
Also, due to involving AD role, it is better to ask the issue in Server Forum.

http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads


Juke Chou
TechNet Subscriber Support
If you are
TechNet Subscription user and have any feedback on our support quality, please send your feedbackhere.Juke Chou
TechNet Community Support

Need to support users over the internet? click here try our remote control online beta

Hi,
Based on my understanding, Your purpose cannot be achieved.
Also, due to involving AD role, it is better to ask the issue in Server Forum.

http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads


Juke Chou
TechNet Subscriber Support
If you are
TechNet Subscription user and have any feedback on our support quality, please send your feedbackhere.


Juke Chou
TechNet Community Support



Hi Juke, thanks for your response.
Are you able to qualify your understanding of why this cannot be achieved as I need to make a design decision for this topic and would need some supporting information to justify the decision?
My question relates specifically to MBAM and not the AD role hence why I've asked it in the Windows 7 Security forum which seems to be the correct area for queries around the MDOP MBAM product.Jonathan Conway | My blog: Conway's IT Blog | Twitter:
jonconwayuk | Linkedin:
Jonathan Conway
MCITP: Enterprise Administrator MCP MCSE 2003 MCTS SCCM 2007, Windows 7 Config & Deploying VCP

Need to support users over the internet? click here try our remote control online beta

Hi,
Because MBAM needs Group Policy support. Also, when the clients send the Recovery Keys to Server for centralizing data, all the data is very sensitive so that it is encrypted, which is based on PKI.



Juke Chou
TechNet Community Support

There is an amazing pack of free network admin tools. click here to download it

Hi,
Because MBAM needs Group Policy support. Also, when the clients send the Recovery Keys to Server for centralizing data, all the data is very sensitive so that it is encrypted based on PKI.
Juke Chou
TechNet Community Support

Need to support users over the internet? click here try our remote control online beta

Hi,
Because MBAM needs Group Policy support. Also, when the clients send the Recovery Keys to Server for centralizing data, all the data is very sensitive so that it is encrypted based on PKI.



Juke Chou
TechNet Community Support



Group Policy - Domain A holds the root MBAM server. Domain B is the one I want to add so that it also utilises the MBAM server in domain A. If I configure the relevant GPO in domain B to point to the MBAM server in Domain A then no further configuration should
be required for GPO?
Certificates - As I understand it as long as the certificate for the MBAM server in Domain A is trusted in Domain B (and the firewall allows this communication) then there shouldn't a problem. Please let me know if this is inaccurate as I
am basing this on theory and not experience.
The goal behind all this is to allow centralised monitoring and administration of MBAM data for both domains if possible as this will help reduce complexity and centralise administration in our customers environment.Jonathan Conway | My blog: Conway's IT Blog | Twitter:
jonconwayuk | Linkedin:
Jonathan Conway
MCITP: Enterprise Administrator MCP MCSE 2003 MCTS SCCM 2007, Windows 7 Config & Deploying VCP

Need to support users over the internet? click here try our remote control online beta

Hi,
You cannot link a policy residing in another forest even if they are trusted.
Trust is only used for authentication of accessing the resource across forest.

I will involve a person who is familiar with MBAM to demonstrate this. So sorry for this.
Juke Chou
TechNet Community Support

There is an amazing pack of free network admin tools. click here to download it

Hi,
You cannot link a policy residing in another forest even if they are trusted.
Trust is only used for authentication of accessing the resource across forest.

I will involve a person who is familiar with MBAM to demonstrate this. So sorry for this.



Juke Chou
TechNet Community Support



Thanks again for your reply - I'm fully aware of how GPO and Ad Trusts works but what I'm suggesting is having a separate MBAM policy defined in Domain B which defines the details for the MBAM server in Domain A i.e. the MBAM Recovery and
Hardware service endpoint and MBAM compliance service endpoint etc.
If you are able to involve someone with more experience of MBAM then that would be great.Jonathan Conway | My blog: Conway's IT Blog | Twitter:
jonconwayuk | Linkedin:
Jonathan Conway
MCITP: Enterprise Administrator MCP MCSE 2003 MCTS SCCM 2007, Windows 7 Config & Deploying VCP

There is an amazing pack of free network admin tools. click here to download it

I think you can refer to the following Microsoft for some information:
Planning Guide:
http://onlinehelp.microsoft.com/en-us/mdop/hh285653.aspx

Deployment Guide:
http://onlinehelp.microsoft.com/en-us/mdop/hh285644.aspx

Operations Guide:
http://onlinehelp.microsoft.com/en-us/mdop/hh285664.aspx

Troubleshooting MBAM:
http://onlinehelp.microsoft.com/en-us/mdop/hh352745.aspx


Microsoft BitLocker Administration and Monitoring (MBAM) Documentation Resources Download Page

http://www.microsoft.com/download/en/details.aspx?id=27555

Thanks
Zero
Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

There is an amazing pack of free network admin tools. click here to download it

I think you can refer to the following Microsoft for some information:
Planning Guide:
http://onlinehelp.microsoft.com/en-us/mdop/hh285653.aspx

Deployment Guide:
http://onlinehelp.microsoft.com/en-us/mdop/hh285644.aspx

Operations Guide:
http://onlinehelp.microsoft.com/en-us/mdop/hh285664.aspx

Troubleshooting MBAM:
http://onlinehelp.microsoft.com/en-us/mdop/hh352745.aspx


Microsoft BitLocker Administration and Monitoring (MBAM) Documentation Resources Download Page

http://www.microsoft.com/download/en/details.aspx?id=27555



Thanks
Zero
Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.



Hi Zero - Thanks for your reply. I have read all of the documents listed and my particular scenario isn't covered in any of them to my knowledge.Jonathan Conway | My blog: Conway's IT Blog | Twitter:
jonconwayuk | Linkedin:
Jonathan Conway
MCITP: Enterprise Administrator MCP MCSE 2003 MCTS SCCM 2007, Windows 7 Config & Deploying VCP

Need to support users over the internet? click here try our remote control online beta

If it's not officially announced, then it's not supported officially. But some times it may work even not announced, but at your own risk for issues. So we usually would perform some tests for this kind of issues.
Also I have done some research and found the following information, not sure if you have checked them, hope they would be helpful to you:

2612822 Computer Record is Rejected in MBAM

http://support.microsoft.com/default.aspx?scid=kb;EN-US;2612822


2620280 Error message An error has occurred when you click the Hardware tab in MBAM

http://support.microsoft.com/default.aspx?scid=kb;EN-US;2620280


2620269 MBAM Enterprise Reporting Not Getting Updated

http://support.microsoft.com/default.aspx?scid=kb;EN-US;2620269


2620287 Error Message Server Error in /Reports Application When You Click Reports Tab in MBAM

http://support.microsoft.com/default.aspx?scid=kb;EN-US;2620287


2639518 Error opening Enterprise or Computer Compliance Reports in MBAM

http://support.microsoft.com/kb/2639518


2640178 MBAM fails to take ownership of TPM

http://support.microsoft.com/kb/2640178


2668170 MBAM Svclog files Filling Disk Space

http://support.microsoft.com/kb/2668170


2668508 MBAM Data Store Communication Failure when you click on MBAM Hardware

http://support.microsoft.com/kb/2668508


2668533 MBAM Setup fails if SQL SSRS is not configured properly

http://support.microsoft.com/kb/2668533



http://blogs.technet.com/b/askcore/archive/2011/07/27/mbam-setup-fails-with-sql-error-error-obtaining-a-certificate-protected-by-the-master-key.aspx



http://blogs.technet.com/b/askcore/archive/2011/08/04/how-to-verify-bitlocker-recovery-keys-in-sql-db-using-mbam.aspx



http://blogs.technet.com/b/deploymentguys/archive/2012/02/20/using-mbam-to-start-bitlocker-encryption-in-a-task-sequence.aspx

Thanks
Zero
Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

There is an amazing pack of free network admin tools. click here to download it