Appendix D: BitLockerTPMSchemaExtension.ldf File Contents
The following is the contents of the BitLockerTPMSchemaExtension.ldf file, which can be used to extend the Active Directory schema from Windows ServerĀ 2003 with SP1 to support backing up recovery information for BitLocker and the TPM owner password in Active Directory.
To use this file to extend the schema, you should be familiar with the Ldifde command, which must be run on the domain controller holding the schema operations master role for the forest.
Note
To download this file, see https://go.microsoft.com/fwlink/?LinkId=78953.
File contents
Note
Some lines might appear split into multiple lines for display or printing.
#=====================================================================
# Active Directory Domain Services schema extension for
# BitLocker Drive Encryption and Trusted Platform Module (TPM) recovery
# This file contains attributes and class objects that enable
# Windows Server 2003 SP1 and Windows Server 2003 R2 domain controllers
# to store BitLocker and TPM recovery information.
# Change History:
# 11/2005 - Schema additions for Vista Beta 2 (matches \"Longhorn\" Server Beta 2)
# 5/2006 - Schema additions and updates for Vista RC1 (matches \"Longhorn\" Server Beta 3)
# NOTE: A schema extension is not necessary if the forest includes an installation
# of Windows Server Codename \"Longhorn\".
# To extend the schema, use the LDIFDE tool on the schema master of the forest.
# Sample command:
# ldifde -i -v -f BitLockerTPMSchemaExtension.ldf -c \"DC=X\" \"DC=nttest,dc=microsoft,dc=com\" -k -j .
# For more information on LDIFDE tool, see
# https://support.microsoft.com/default.aspx?scid=kb;en-us;237677
# See related guide for setting up Active Directory Domain Services
# for BitLocker and TPM recovery.
#=====================================================================
#=====================================================================
# [Vista Beta 2 and up] TPM Recovery Information - Attributes
#=====================================================================
# ms-TPM-OwnerInformation
dn: CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msTPM-OwnerInformation
adminDisplayName: TPM-OwnerInformation
adminDescription: This attribute contains the owner information of a particular TPM.
attributeId: 1.2.840.113556.1.4.1966
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
searchFlags: 136
schemaIdGuid:: bRpOqg1VBU6MNUr8uRep/g==
showInAdvancedViewOnly: TRUE
#======================================================================
# [Vista Beta 2 and up] Bitlocker Recovery Information - Attributes
# NOTE: FVE is the acronym for Full Volume Encryption, a pre-release name
#=====================================================================
# ms-FVE-RecoveryGuid
dn: CN=ms-FVE-RecoveryGuid,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msFVE-RecoveryGuid
adminDisplayName: FVE-RecoveryGuid
adminDescription: This attribute contains the GUID associated with a Full Volume Encryption (FVE) recovery password.
attributeID: 1.2.840.113556.1.4.1965
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
searchFlags: 137
schemaIdGuid:: vAlp93jmoEews/hqAETAbQ==
showInAdvancedViewOnly: TRUE
# ms-FVE-RecoveryPassword
dn: CN=ms-FVE-RecoveryPassword,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msFVE-RecoveryPassword
adminDisplayName: FVE-RecoveryPassword
adminDescription: This attribute contains the password required to recover a Full Volume Encryption (FVE) volume.
attributeId: 1.2.840.113556.1.4.1964
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
searchFlags: 136
schemaIdGuid:: wRoGQ63IzEy3hSv6wg/GCg==
showInAdvancedViewOnly: TRUE
#=====================================================================
# [Vista Beta 2 and up] Attributes - Schema Update
#======================================================================
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
#=====================================================================
# [Vista Beta 2 and up] BitLocker Recovery Information - Class
#=====================================================================
# ms-FVE-RecoveryInformation
dn: CN=ms-FVE-RecoveryInformation,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: msFVE-RecoveryInformation
adminDisplayName: FVE-RecoveryInformation
adminDescription: This class contains a Full Volume Encryption recovery password with its associated GUID.
governsID: 1.2.840.113556.1.5.253
objectClassCategory: 1
subClassOf: top
systemMustContain: msFVE-RecoveryGuid
systemMustContain: msFVE-RecoveryPassword
systemPossSuperiors: computer
schemaIdGUID:: MF1x6lOP0EC9HmEJGG14LA==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)
defaultHidingValue: TRUE
defaultObjectCategory: CN=ms-FVE-RecoveryInformation,CN=Schema,CN=Configuration,DC=X
#=====================================================================
# [Vista Beta 2 and up] Classes - Schema Update
#=====================================================================
dn: CN=computer,CN=Schema,CN=Configuration,DC=X
#changetype: ntdsSchemaModify
changetype: modify
add: mayContain
mayContain: msTPM-OwnerInformation
-
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
#=====================================================================
# [Vista RC1 and up] Bitlocker Recovery Information - Additional Attributes
#=====================================================================
# ms-FVE-VolumeGuid
dn: CN=ms-FVE-VolumeGuid,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msFVE-VolumeGuid
adminDisplayName: FVE-VolumeGuid
adminDescription: This attribute contains the GUID associated with a BitLocker-supported disk volume. Full Volume Encryption (FVE) was the pre-release name for BitLocker Drive Encryption.
attributeID: 1.2.840.113556.1.4.1998
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
searchFlags: 27
schemaIdGuid:: z6Xlhe7cdUCc/aydtqLyRQ==
showInAdvancedViewOnly: TRUE
isMemberOfPartialAttributeSet: TRUE
rangeUpper: 128
# ms-FVE-KeyPackage
dn: CN=ms-FVE-KeyPackage,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: attributeSchema
ldapDisplayName: msFVE-KeyPackage
adminDisplayName: FVE-KeyPackage
adminDescription: This attribute contains a volume's BitLocker encryption key secured by the corresponding recovery password. Full Volume Encryption (FVE) was the pre-release name for BitLocker Drive Encryption.
attributeId: 1.2.840.113556.1.4.1999
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
searchFlags: 152
schemaIdGuid:: qF7VH6eI3EeBKQ2qlxhqVA==
showInAdvancedViewOnly: TRUE
isMemberOfPartialAttributeSet: FALSE
rangeUpper: 102400
#=====================================================================
# [Vista RC1 and up] Additional Attributes - Schema Update
#=====================================================================
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
#=====================================================================
# [Vista RC1 and up] Updates to BitLocker Recovery Information Class
#======================================================================
dn: CN=ms-FVE-RecoveryInformation,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: adminDescription
adminDescription: This class contains BitLocker recovery information including GUIDs, recovery passwords, and keys. Full Volume Encryption (FVE) was the pre-release name for BitLocker Drive Encryption.
-
dn: CN=ms-FVE-RecoveryInformation,CN=Schema,CN=Configuration,DC=X
changetype: modify
add: mayContain
mayContain: msFVE-VolumeGuid
mayContain: msFVE-KeyPackage
-
#=====================================================================
# [Vista RC1 and up] Updates to pre-RC1 Attributes
#=====================================================================
# Updates to ms-TPM-OwnerInformation
dn: CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: searchFlags
searchFlags: 152
-
dn: CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: rangeUpper
rangeUpper: 128
-
# Updates to ms-FVE-RecoveryGuid
dn: CN=ms-FVE-RecoveryGuid,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: adminDescription
adminDescription: This attribute contains the GUID associated with a BitLocker recovery password. Full Volume Encryption (FVE) was the pre-release name for BitLocker Drive Encryption.
-
dn: CN=ms-FVE-RecoveryGuid,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: searchFlags
searchFlags: 27
-
dn: CN=ms-FVE-RecoveryGuid,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: rangeUpper
rangeUpper: 128
-
dn: CN=ms-FVE-RecoveryGuid,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: isMemberOfPartialAttributeSet
isMemberOfPartialAttributeSet: TRUE
-
# Updates to ms-FVE-RecoveryPassword
dn: CN=ms-FVE-RecoveryPassword,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: adminDescription
adminDescription: This attribute contains a password that can recover a BitLocker-encrypted volume. Full Volume Encryption (FVE) was the pre-release name for BitLocker Drive Encryption.
-
dn: CN=ms-FVE-RecoveryPassword,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: searchFlags
searchFlags: 152
-
dn: CN=ms-FVE-RecoveryPassword,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: rangeUpper
rangeUpper: 256
-
# Reload the schema cache to pick up updated attributes
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-