Does anyone know whether it is possible to use a central recovery key database (and associated reporting etc.) that includes machines from two seperate domains in two different forests? My customer has a domain from where they would like to centrally manage the resources from another domain in a seperate Forest and I wondered if this was supported within MBAM. I can't see anything obvious in the documentation for MBAM so wondered if anyone out there knew if this was possible?Jonathan Conway | My blog: Conway's IT Blog | Twitter: jonconwayuk | Linkedin: Jonathan Conway MCITP: Enterprise Administrator MCP MCSE 2003 MCTS SCCM 2007, Windows 7 Config & Deploying VCP

Hi, Based on my understanding, Your purpose cannot be achieved. Also, due to involving AD role, it is better to ask the issue in Server Forum. http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads Juke Chou TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedbackhere.Juke Chou TechNet Community Support

Hi, Based on my understanding, Your purpose cannot be achieved. Also, due to involving AD role, it is better to ask the issue in Server Forum. http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads Juke Chou TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedbackhere. Juke Chou TechNet Community Support Hi Juke, thanks for your response. Are you able to qualify your understanding of why this cannot be achieved as I need to make a design decision for this topic and would need some supporting information to justify the decision? My question relates specifically to MBAM and not the AD role hence why I've asked it in the Windows 7 Security forum which seems to be the correct area for queries around the MDOP MBAM product.Jonathan Conway | My blog: Conway's IT Blog | Twitter: jonconwayuk | Linkedin: Jonathan Conway MCITP: Enterprise Administrator MCP MCSE 2003 MCTS SCCM 2007, Windows 7 Config & Deploying VCP

Hi, Because MBAM needs Group Policy support. Also, when the clients send the Recovery Keys to Server for centralizing data, all the data is very sensitive so that it is encrypted based on PKI. Juke Chou TechNet Community Support Group Policy - Domain A holds the root MBAM server. Domain B is the one I want to add so that it also utilises the MBAM server in domain A. If I configure the relevant GPO in domain B to point to the MBAM server in Domain A then no further configuration should be required for GPO? Certificates - As I understand it as long as the certificate for the MBAM server in Domain A is trusted in Domain B (and the firewall allows this communication) then there shouldn't a problem. Please let me know if this is inaccurate as I am basing this on theory and not experience. The goal behind all this is to allow centralised monitoring and administration of MBAM data for both domains if possible as this will help reduce complexity and centralise administration in our customers environment.Jonathan Conway | My blog: Conway's IT Blog | Twitter: jonconwayuk | Linkedin: Jonathan Conway MCITP: Enterprise Administrator MCP MCSE 2003 MCTS SCCM 2007, Windows 7 Config & Deploying VCP

Hi, You cannot link a policy residing in another forest even if they are trusted. Trust is only used for authentication of accessing the resource across forest. I will involve a person who is familiar with MBAM to demonstrate this. So sorry for this. Juke Chou TechNet Community Support

Hi, You cannot link a policy residing in another forest even if they are trusted. Trust is only used for authentication of accessing the resource across forest. I will involve a person who is familiar with MBAM to demonstrate this. So sorry for this. Juke Chou TechNet Community Support Thanks again for your reply - I'm fully aware of how GPO and Ad Trusts works but what I'm suggesting is having a separate MBAM policy defined in Domain B which defines the details for the MBAM server in Domain A i.e. the MBAM Recovery and Hardware service endpoint and MBAM compliance service endpoint etc. If you are able to involve someone with more experience of MBAM then that would be great.Jonathan Conway | My blog: Conway's IT Blog | Twitter: jonconwayuk | Linkedin: Jonathan Conway MCITP: Enterprise Administrator MCP MCSE 2003 MCTS SCCM 2007, Windows 7 Config & Deploying VCP

I think you can refer to the following Microsoft for some information: Planning Guide: http://onlinehelp.microsoft.com/en-us/mdop/hh285653.aspx Deployment Guide: http://onlinehelp.microsoft.com/en-us/mdop/hh285644.aspx Operations Guide: http://onlinehelp.microsoft.com/en-us/mdop/hh285664.aspx Troubleshooting MBAM: http://onlinehelp.microsoft.com/en-us/mdop/hh352745.aspx Microsoft BitLocker Administration and Monitoring (MBAM) Documentation Resources Download Page http://www.microsoft.com/download/en/details.aspx?id=27555 Thanks Zero Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

I think you can refer to the following Microsoft for some information: Planning Guide: http://onlinehelp.microsoft.com/en-us/mdop/hh285653.aspx Deployment Guide: http://onlinehelp.microsoft.com/en-us/mdop/hh285644.aspx Operations Guide: http://onlinehelp.microsoft.com/en-us/mdop/hh285664.aspx Troubleshooting MBAM: http://onlinehelp.microsoft.com/en-us/mdop/hh352745.aspx Microsoft BitLocker Administration and Monitoring (MBAM) Documentation Resources Download Page http://www.microsoft.com/download/en/details.aspx?id=27555 Thanks Zero Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Hi Zero - Thanks for your reply. I have read all of the documents listed and my particular scenario isn't covered in any of them to my knowledge.Jonathan Conway | My blog: Conway's IT Blog | Twitter: jonconwayuk | Linkedin: Jonathan Conway MCITP: Enterprise Administrator MCP MCSE 2003 MCTS SCCM 2007, Windows 7 Config & Deploying VCP

If it's not officially announced, then it's not supported officially. But some times it may work even not announced, but at your own risk for issues. So we usually would perform some tests for this kind of issues. Also I have done some research and found the following information, not sure if you have checked them, hope they would be helpful to you: 2612822 Computer Record is Rejected in MBAM http://support.microsoft.com/default.aspx?scid=kb;EN-US;2612822 2620280 Error message An error has occurred when you click the Hardware tab in MBAM http://support.microsoft.com/default.aspx?scid=kb;EN-US;2620280 2620269 MBAM Enterprise Reporting Not Getting Updated http://support.microsoft.com/default.aspx?scid=kb;EN-US;2620269 2620287 Error Message Server Error in /Reports Application When You Click Reports Tab in MBAM http://support.microsoft.com/default.aspx?scid=kb;EN-US;2620287 2639518 Error opening Enterprise or Computer Compliance Reports in MBAM http://support.microsoft.com/kb/2639518 2640178 MBAM fails to take ownership of TPM http://support.microsoft.com/kb/2640178 2668170 MBAM Svclog files Filling Disk Space http://support.microsoft.com/kb/2668170 2668508 MBAM Data Store Communication Failure when you click on MBAM Hardware http://support.microsoft.com/kb/2668508 2668533 MBAM Setup fails if SQL SSRS is not configured properly http://support.microsoft.com/kb/2668533 http://blogs.technet.com/b/askcore/archive/2011/07/27/mbam-setup-fails-with-sql-error-error-obtaining-a-certificate-protected-by-the-master-key.aspx http://blogs.technet.com/b/askcore/archive/2011/08/04/how-to-verify-bitlocker-recovery-keys-in-sql-db-using-mbam.aspx http://blogs.technet.com/b/deploymentguys/archive/2012/02/20/using-mbam-to-start-bitlocker-encryption-in-a-task-sequence.aspx Thanks Zero Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

If it's not officially announced, then it's not supported officially. But some times it may work even not announced, but at your own risk for issues. So we usually would perform some tests for this kind of issues. Also I have done some research and found the following information, not sure if you have checked them, hope they would be helpful to you: 2612822 Computer Record is Rejected in MBAM http://support.microsoft.com/default.aspx?scid=kb;EN-US;2612822 2620280 Error message An error has occurred when you click the Hardware tab in MBAM http://support.microsoft.com/default.aspx?scid=kb;EN-US;2620280 2620269 MBAM Enterprise Reporting Not Getting Updated http://support.microsoft.com/default.aspx?scid=kb;EN-US;2620269 2620287 Error Message Server Error in /Reports Application When You Click Reports Tab in MBAM http://support.microsoft.com/default.aspx?scid=kb;EN-US;2620287 2639518 Error opening Enterprise or Computer Compliance Reports in MBAM http://support.microsoft.com/kb/2639518 2640178 MBAM fails to take ownership of TPM http://support.microsoft.com/kb/2640178 2668170 MBAM Svclog files Filling Disk Space http://support.microsoft.com/kb/2668170 2668508 MBAM Data Store Communication Failure when you click on MBAM Hardware http://support.microsoft.com/kb/2668508 2668533 MBAM Setup fails if SQL SSRS is not configured properly http://support.microsoft.com/kb/2668533 http://blogs.technet.com/b/askcore/archive/2011/07/27/mbam-setup-fails-with-sql-error-error-obtaining-a-certificate-protected-by-the-master-key.aspx http://blogs.technet.com/b/askcore/archive/2011/08/04/how-to-verify-bitlocker-recovery-keys-in-sql-db-using-mbam.aspx http://blogs.technet.com/b/deploymentguys/archive/2012/02/20/using-mbam-to-start-bitlocker-encryption-in-a-task-sequence.aspx Thanks Zero Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.