Managing Microsoft Bitlocker Administration & Monitoring (MBAM) Between Different Forests
Does anyone know whether it is possible to use a central recovery key database (and associated reporting etc.) that includes machines from two seperate domains in two different forests?
My customer has a domain from where they would like to centrally manage the resources from another domain in a seperate Forest and I wondered if this was supported within MBAM.
I can't see anything obvious in the documentation for MBAM so wondered if anyone out there knew if this was possible?Jonathan Conway | My blog: Conway's IT Blog | Twitter:
jonconwayuk | Linkedin:
Jonathan Conway
MCITP: Enterprise Administrator MCP MCSE 2003 MCTS SCCM 2007, Windows 7 Config & Deploying VCP
June 8th, 2012 10:38am
Hi,
Based on my understanding, Your purpose cannot be achieved.
Also, due to involving AD role, it is better to ask the issue in Server Forum.
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads
Juke Chou
TechNet Subscriber Support
If you are
TechNet Subscription user and have any feedback on our support quality, please send your feedbackhere.Juke Chou
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
June 11th, 2012 5:40am
Hi,
Based on my understanding, Your purpose cannot be achieved.
Also, due to involving AD role, it is better to ask the issue in Server Forum.
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads
Juke Chou
TechNet Subscriber Support
If you are
TechNet Subscription user and have any feedback on our support quality, please send your feedbackhere.
Juke Chou
TechNet Community Support
Hi Juke, thanks for your response.
Are you able to qualify your understanding of why this cannot be achieved as I need to make a design decision for this topic and would need some supporting information to justify the decision?
My question relates specifically to MBAM and not the AD role hence why I've asked it in the Windows 7 Security forum which seems to be the correct area for queries around the MDOP MBAM product.Jonathan Conway | My blog: Conway's IT Blog | Twitter:
jonconwayuk | Linkedin:
Jonathan Conway
MCITP: Enterprise Administrator MCP MCSE 2003 MCTS SCCM 2007, Windows 7 Config & Deploying VCP
June 11th, 2012 5:47am
Hi,
Because MBAM needs Group Policy support. Also, when the clients send the Recovery Keys to Server for centralizing data, all the data is very sensitive so that it is encrypted based on PKI.
Juke Chou
TechNet Community Support
Group Policy - Domain A holds the root MBAM server. Domain B is the one I want to add so that it also utilises the MBAM server in domain A. If I configure the relevant GPO in domain B to point to the MBAM server in Domain A then no further configuration should
be required for GPO?
Certificates - As I understand it as long as the certificate for the MBAM server in Domain A is trusted in Domain B (and the firewall allows this communication) then there shouldn't a problem. Please let me know if this is inaccurate as I
am basing this on theory and not experience.
The goal behind all this is to allow centralised monitoring and administration of MBAM data for both domains if possible as this will help reduce complexity and centralise administration in our customers environment.Jonathan Conway | My blog: Conway's IT Blog | Twitter:
jonconwayuk | Linkedin:
Jonathan Conway
MCITP: Enterprise Administrator MCP MCSE 2003 MCTS SCCM 2007, Windows 7 Config & Deploying VCP
Free Windows Admin Tool Kit Click here and download it now
June 11th, 2012 6:10am
Hi,
You cannot link a policy residing in another forest even if they are trusted.
Trust is only used for authentication of accessing the resource across forest.
I will involve a person who is familiar with MBAM to demonstrate this. So sorry for this.
Juke Chou
TechNet Community Support
June 12th, 2012 3:34am
Hi,
You cannot link a policy residing in another forest even if they are trusted.
Trust is only used for authentication of accessing the resource across forest.
I will involve a person who is familiar with MBAM to demonstrate this. So sorry for this.
Juke Chou
TechNet Community Support
Thanks again for your reply - I'm fully aware of how GPO and Ad Trusts works but what I'm suggesting is having a separate MBAM policy defined in Domain B which defines the details for the MBAM server in Domain A i.e. the MBAM Recovery and
Hardware service endpoint and MBAM compliance service endpoint etc.
If you are able to involve someone with more experience of MBAM then that would be great.Jonathan Conway | My blog: Conway's IT Blog | Twitter:
jonconwayuk | Linkedin:
Jonathan Conway
MCITP: Enterprise Administrator MCP MCSE 2003 MCTS SCCM 2007, Windows 7 Config & Deploying VCP
Free Windows Admin Tool Kit Click here and download it now
June 12th, 2012 4:25am
I think you can refer to the following Microsoft for some information:
Planning Guide: http://onlinehelp.microsoft.com/en-us/mdop/hh285653.aspx
Deployment Guide: http://onlinehelp.microsoft.com/en-us/mdop/hh285644.aspx
Operations Guide: http://onlinehelp.microsoft.com/en-us/mdop/hh285664.aspx
Troubleshooting MBAM: http://onlinehelp.microsoft.com/en-us/mdop/hh352745.aspx
Microsoft BitLocker Administration and Monitoring (MBAM) Documentation Resources Download Page
http://www.microsoft.com/download/en/details.aspx?id=27555
Thanks
Zero
Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
June 13th, 2012 7:39am
I think you can refer to the following Microsoft for some information:
Planning Guide: http://onlinehelp.microsoft.com/en-us/mdop/hh285653.aspx
Deployment Guide: http://onlinehelp.microsoft.com/en-us/mdop/hh285644.aspx
Operations Guide: http://onlinehelp.microsoft.com/en-us/mdop/hh285664.aspx
Troubleshooting MBAM: http://onlinehelp.microsoft.com/en-us/mdop/hh352745.aspx
Microsoft BitLocker Administration and Monitoring (MBAM) Documentation Resources Download Page
http://www.microsoft.com/download/en/details.aspx?id=27555
Thanks
Zero
Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Hi Zero - Thanks for your reply. I have read all of the documents listed and my particular scenario isn't covered in any of them to my knowledge.Jonathan Conway | My blog: Conway's IT Blog | Twitter:
jonconwayuk | Linkedin:
Jonathan Conway
MCITP: Enterprise Administrator MCP MCSE 2003 MCTS SCCM 2007, Windows 7 Config & Deploying VCP
Free Windows Admin Tool Kit Click here and download it now
June 13th, 2012 7:43am
If it's not officially announced, then it's not supported officially. But some times it may work even not announced, but at your own risk for issues. So we usually would perform some tests for this kind of issues.
Also I have done some research and found the following information, not sure if you have checked them, hope they would be helpful to you:
2612822 Computer Record is Rejected in MBAM
http://support.microsoft.com/default.aspx?scid=kb;EN-US;2612822
2620280 Error message An error has occurred when you click the Hardware tab in MBAM
http://support.microsoft.com/default.aspx?scid=kb;EN-US;2620280
2620269 MBAM Enterprise Reporting Not Getting Updated
http://support.microsoft.com/default.aspx?scid=kb;EN-US;2620269
2620287 Error Message Server Error in /Reports Application When You Click Reports Tab in MBAM
http://support.microsoft.com/default.aspx?scid=kb;EN-US;2620287
2639518 Error opening Enterprise or Computer Compliance Reports in MBAM
http://support.microsoft.com/kb/2639518
2640178 MBAM fails to take ownership of TPM
http://support.microsoft.com/kb/2640178
2668170 MBAM Svclog files Filling Disk Space
http://support.microsoft.com/kb/2668170
2668508 MBAM Data Store Communication Failure when you click on MBAM Hardware
http://support.microsoft.com/kb/2668508
2668533 MBAM Setup fails if SQL SSRS is not configured properly
http://support.microsoft.com/kb/2668533
http://blogs.technet.com/b/askcore/archive/2011/07/27/mbam-setup-fails-with-sql-error-error-obtaining-a-certificate-protected-by-the-master-key.aspx
http://blogs.technet.com/b/askcore/archive/2011/08/04/how-to-verify-bitlocker-recovery-keys-in-sql-db-using-mbam.aspx
http://blogs.technet.com/b/deploymentguys/archive/2012/02/20/using-mbam-to-start-bitlocker-encryption-in-a-task-sequence.aspx
Thanks
Zero
Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
June 14th, 2012 6:55am
If it's not officially announced, then it's not supported officially. But some times it may work even not announced, but at your own risk for issues. So we usually would perform some tests for this kind of issues.
Also I have done some research and found the following information, not sure if you have checked them, hope they would be helpful to you:
2612822 Computer Record is Rejected in MBAM
http://support.microsoft.com/default.aspx?scid=kb;EN-US;2612822
2620280 Error message An error has occurred when you click the Hardware tab in MBAM
http://support.microsoft.com/default.aspx?scid=kb;EN-US;2620280
2620269 MBAM Enterprise Reporting Not Getting Updated
http://support.microsoft.com/default.aspx?scid=kb;EN-US;2620269
2620287 Error Message Server Error in /Reports Application When You Click Reports Tab in MBAM
http://support.microsoft.com/default.aspx?scid=kb;EN-US;2620287
2639518 Error opening Enterprise or Computer Compliance Reports in MBAM
http://support.microsoft.com/kb/2639518
2640178 MBAM fails to take ownership of TPM
http://support.microsoft.com/kb/2640178
2668170 MBAM Svclog files Filling Disk Space
http://support.microsoft.com/kb/2668170
2668508 MBAM Data Store Communication Failure when you click on MBAM Hardware
http://support.microsoft.com/kb/2668508
2668533 MBAM Setup fails if SQL SSRS is not configured properly
http://support.microsoft.com/kb/2668533
http://blogs.technet.com/b/askcore/archive/2011/07/27/mbam-setup-fails-with-sql-error-error-obtaining-a-certificate-protected-by-the-master-key.aspx
http://blogs.technet.com/b/askcore/archive/2011/08/04/how-to-verify-bitlocker-recovery-keys-in-sql-db-using-mbam.aspx
http://blogs.technet.com/b/deploymentguys/archive/2012/02/20/using-mbam-to-start-bitlocker-encryption-in-a-task-sequence.aspx
Thanks
Zero
Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
June 14th, 2012 6:55am