Does anyone know whether it is possible to use a central recovery key database (and associated reporting etc.) that includes machines from two seperate domains in two different forests? My customer has a domain from where they would like to centrally manage the resources from another domain in a seperate Forest and I wondered if this was supported within MBAM. I can't see anything obvious in the documentation for MBAM so wondered if anyone out there knew if this was possible?Jonathan Conway | My blog: Conway's IT Blog | Twitter: jonconwayuk | Linkedin: Jonathan Conway MCITP: Enterprise Administrator MCP MCSE 2003 MCTS SCCM 2007, Windows 7 Config & Deploying VCP

Hi, Based on my understanding, Your purpose cannot be achieved. Also, due to involving AD role, it is better to ask the issue in Server Forum. http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads Juke Chou TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedbackhere.Juke Chou TechNet Community Support

Hi, Based on my understanding, Your purpose cannot be achieved. Also, due to involving AD role, it is better to ask the issue in Server Forum. http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads Juke Chou TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedbackhere. Juke Chou TechNet Community Support Hi Juke, thanks for your response. Are you able to qualify your understanding of why this cannot be achieved as I need to make a design decision for this topic and would need some supporting information to justify the decision? My question relates specifically to MBAM and not the AD role hence why I've asked it in the Windows 7 Security forum which seems to be the correct area for queries around the MDOP MBAM product.Jonathan Conway | My blog: Conway's IT Blog | Twitter: jonconwayuk | Linkedin: Jonathan Conway MCITP: Enterprise Administrator MCP MCSE 2003 MCTS SCCM 2007, Windows 7 Config & Deploying VCP

Hi, Because MBAM needs Group Policy support. Also, when the clients send the Recovery Keys to Server for centralizing data, all the data is very sensitive so that it is encrypted based on PKI. Juke Chou TechNet Community Support Group Policy - Domain A holds the root MBAM server. Domain B is the one I want to add so that it also utilises the MBAM server in domain A. If I configure the relevant GPO in domain B to point to the MBAM server in Domain A then no further configuration should be required for GPO? Certificates - As I understand it as long as the certificate for the MBAM server in Domain A is trusted in Domain B (and the firewall allows this communication) then there shouldn't a problem. Please let me know if this is inaccurate as I am basing this on theory and not experience. The goal behind all this is to allow centralised monitoring and administration of MBAM data for both domains if possible as this will help reduce complexity and centralise administration in our customers environment.Jonathan Conway | My blog: Conway's IT Blog | Twitter: jonconwayuk | Linkedin: Jonathan Conway MCITP: Enterprise Administrator MCP MCSE 2003 MCTS SCCM 2007, Windows 7 Config & Deploying VCP

Hi, You cannot link a policy residing in another forest even if they are trusted. Trust is only used for authentication of accessing the resource across forest. I will involve a person who is familiar with MBAM to demonstrate this. So sorry for this. Juke Chou TechNet Community Support

Hi, You cannot link a policy residing in another forest even if they are trusted. Trust is only used for authentication of accessing the resource across forest. I will involve a person who is familiar with MBAM to demonstrate this. So sorry for this. Juke Chou TechNet Community Support Thanks again for your reply - I'm fully aware of how GPO and Ad Trusts works but what I'm suggesting is having a separate MBAM policy defined in Domain B which defines the details for the MBAM server in Domain A i.e. the MBAM Recovery and Hardware service endpoint and MBAM compliance service endpoint etc. If you are able to involve someone with more experience of MBAM then that would be great.Jonathan Conway | My blog: Conway's IT Blog | Twitter: jonconwayuk | Linkedin: Jonathan Conway MCITP: Enterprise Administrator MCP MCSE 2003 MCTS SCCM 2007, Windows 7 Config & Deploying VCP

I think you can refer to the following Microsoft for some information: Planning Guide: http://onlinehelp.microsoft.com/en-us/mdop/hh285653.aspx Deployment Guide: http://onlinehelp.microsoft.com/en-us/mdop/hh285644.aspx Operations Guide: http://onlinehelp.microsoft.com/en-us/mdop/hh285664.aspx Troubleshooting MBAM: http://onlinehelp.microsoft.com/en-us/mdop/hh352745.aspx Microsoft BitLocker Administration and Monitoring (MBAM) Documentation Resources Download Page http://www.microsoft.com/download/en/details.aspx?id=27555 Thanks Zero Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

I think you can refer to the following Microsoft for some information: Planning Guide: http://onlinehelp.microsoft.com/en-us/mdop/hh285653.aspx Deployment Guide: http://onlinehelp.microsoft.com/en-us/mdop/hh285644.aspx Operations Guide: http://onlinehelp.microsoft.com/en-us/mdop/hh285664.aspx Troubleshooting MBAM: http://onlinehelp.microsoft.com/en-us/mdop/hh352745.aspx Microsoft BitLocker Administration and Monitoring (MBAM) Documentation Resources Download Page http://www.microsoft.com/download/en/details.aspx?id=27555 Thanks Zero Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Hi Zero - Thanks for your reply. I have read all of the documents listed and my particular scenario isn't covered in any of them to my knowledge.Jonathan Conway | My blog: Conway's IT Blog | Twitter: jonconwayuk | Linkedin: Jonathan Conway MCITP: Enterprise Administrator MCP MCSE 2003 MCTS SCCM 2007, Windows 7 Config & Deploying VCP

I am in a similar scenario at the moment and this was the only topic that I could find regarding MBAM across different forest. Did this setup ever work for you? I am just wondering if you did some testing and what failed? It seems to me like the agent that is needed to run on the computers will only enforce the policies from the domain where the MBAM instance is located. Thanks for your time.