Verify BitLocker and TPM Schema Objects

  • Article

Applies To: Windows 7, Windows Server 2008 R2

To enable the backup of BitLocker and Trusted Platform Module (TPM) recovery information in Active Directory Domain Services (AD DS), six schema objects are created in the Active Directory schema. These objects exist by default on domain controllers running Windows Server 2008 or Windows Server 2008 R2. If your domain controller is running Windows Server 2003 with Service Pack 1 or Service Pack 2, these objects are created by using the BitLocker TPM schema extension file (BitLockerTPMSchemaExtension.ldf).

You can use the following procedure to verify whether these objects exist in your Active Directory installation.

To examine and verify BitLocker and TPM schema objects

  1. Log on to the domain controller as a member of the Domain Admins group.

  2. Click Start, click Run, type adsiedit.msc, and then click OK to open the ADSI Edit snap-in.

Note

In Windows Server 2008 and Windows Server 2008 R2, the Active Directory Services Interfaces Editor (ADSI Edit) is installed as part of the Active Directory Domain Services server role. It is also included in the Windows Server 2008 Remote Server Administration Tools (RSAT) Pack. To install ADSI Edit on a computer running Windows Vista with Service Pack 1 (SP1) or Windows 7, you must install RSAT. For more information and to download RSAT, see article 941314 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkID=116179). If the domain controller is running Windows Server 2003 with SP1, this snap-in is included in Windows Support Tools. To download the Windows Support Tools for Windows Server 2003 with SP1, see Windows Server 2003 Service Pack 1 32-bit Support Tools (https://go.microsoft.com/fwlink/?LinkID=70775).

  1. Open the Schema container, and then open the folder containing available schema objects.

  2. Find by name the following schema objects:

    • CN=ms-FVE-KeyPackage – attributeSchema object

    • CN=ms-FVE-RecoveryGuid – attributeSchema object

    • CN=ms-FVE-RecoveryInformation – classSchema object

    • CN=ms-FVE-RecoveryPassword – attributeSchema object

    • CN=ms-FVE-VolumeGuid – attributeSchema object

    • CN=ms-TPM-OwnerInformation – attributeSchema object