Discussion:
Extending Active Directory Schema for Bitlocker recovery information
(too old to reply)
Ragnar
2007-02-17 22:15:07 UTC
Permalink
Hi

I'm performing the BitLocker Active Directory schema extension with the
commands and files described in the "Configuring Active Directory to Back up
Windows BitLocker Drive Encryption and Trusted Platform Module Recovery
Information". However ldifde stops at step 13 and gives the following error:

------------------------------------------------------------------------------------------------------------------------
13:
CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=testdomain,dc=com
Entry DN:
CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=testdomain,dc=com
changetype: modify
Attribute 0) searchFlags:152

Add error on line 223: Unwilling To Perform
The server side error is "The search flags for the attribute are invalid.
The ANR bit is valid only on attributes of Unicode or Teletex strings."
6 entries modified successfully.
An error has occurred in the program
------------------------------------------------------------------------------------------------------------------------

Btw, line 223 in the ldif file is the first line above "13:
CN=ms-TPM-OwnerInformation,CN..."

Anyone experienced this?


Thanks.


/Ragnar
.Josh
2007-02-18 15:44:53 UTC
Permalink
Your DC's at SP1?
Post by Ragnar
Hi
I'm performing the BitLocker Active Directory schema extension with the
commands and files described in the "Configuring Active Directory to Back
up Windows BitLocker Drive Encryption and Trusted Platform Module Recovery
------------------------------------------------------------------------------------------------------------------------
CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=testdomain,dc=com
CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=testdomain,dc=com
changetype: modify
Attribute 0) searchFlags:152
Add error on line 223: Unwilling To Perform
The server side error is "The search flags for the attribute are invalid.
The ANR bit is valid only on attributes of Unicode or Teletex strings."
6 entries modified successfully.
An error has occurred in the program
------------------------------------------------------------------------------------------------------------------------
CN=ms-TPM-OwnerInformation,CN..."
Anyone experienced this?
Thanks.
/Ragnar
Ragnar
2007-02-18 18:21:11 UTC
Permalink
Yes, the environment meets all requirements as described in the
documentation, including SP1 (I have R2)...

/Ragnar
Post by .Josh
Your DC's at SP1?
Post by Ragnar
Hi
I'm performing the BitLocker Active Directory schema extension with the
commands and files described in the "Configuring Active Directory to Back
up Windows BitLocker Drive Encryption and Trusted Platform Module
Recovery Information". However ldifde stops at step 13 and gives the
------------------------------------------------------------------------------------------------------------------------
CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=testdomain,dc=com
CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=testdomain,dc=com
changetype: modify
Attribute 0) searchFlags:152
Add error on line 223: Unwilling To Perform
The server side error is "The search flags for the attribute are invalid.
The ANR bit is valid only on attributes of Unicode or Teletex strings."
6 entries modified successfully.
An error has occurred in the program
------------------------------------------------------------------------------------------------------------------------
CN=ms-TPM-OwnerInformation,CN..."
Anyone experienced this?
Thanks.
/Ragnar
a***@gmail.com
2007-02-19 12:41:45 UTC
Permalink
Hi,

Open the ADSI Edit(using adsiedit.msc) and check the availability
of searchFlags and their Syntax & Value.
Schema --> CN=Schema, CN=configuration,DC=testdomain,dc=com. Right
click and click Properties of the "CN=ms-TPM-OwnerInformation" object.
The searchFlags Attribute Syntax should be "Integer" and their value
should be 136(which will be changed to 152).

Adam,
ADManager Plus Team.
Post by Ragnar
Yes, the environment meets all requirements as described in the
documentation, including SP1 (I have R2)...
/Ragnar
Post by .Josh
Your DC's at SP1?
Post by Ragnar
Hi
I'm performing the BitLocker Active Directory schema extension with the
commands and files described in the "Configuring Active Directory to Back
up Windows BitLocker Drive Encryption and Trusted Platform Module
Recovery Information". However ldifde stops at step 13 and gives the
------------------------------------------------------------------------------------------------------------------------
CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=testdomain,dc=com
CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=testdomain,dc=com
changetype: modify
Attribute 0) searchFlags:152
Add error on line 223: Unwilling To Perform
The server side error is "The search flags for the attribute are invalid.
The ANR bit is valid only on attributes of Unicode or Teletex strings."
6 entries modified successfully.
An error has occurred in the program
------------------------------------------------------------------------------------------------------------------------
CN=ms-TPM-OwnerInformation,CN..."
Anyone experienced this?
Thanks.
/Ragnar
Ragnar
2007-02-19 19:04:46 UTC
Permalink
Hello

I checked (using adsiedit.msc) the searchFlags attribute for
CN=ms-TPM-OwnerInformation. It said 152, however I'm unable to change to 136
or choose OK when 152 is the value. I then get the following error message:
"The search flags for the attribute are invalid. The ANR bit is valid only
on attributes of Unicode or Teletex strings."

When checking msdn the error code for this message is:
ERROR_DS_INVALID_SEARCH_FLAG
8500

I'm allowed to set the value to 1 and clear the value, but not set to 136 or
152.

The searchFlags attribute syntax is Integer.

Any ideas? Thanks!



/Ragnar
Post by a***@gmail.com
Hi,
Open the ADSI Edit(using adsiedit.msc) and check the availability
of searchFlags and their Syntax & Value.
Schema --> CN=Schema, CN=configuration,DC=testdomain,dc=com. Right
click and click Properties of the "CN=ms-TPM-OwnerInformation" object.
The searchFlags Attribute Syntax should be "Integer" and their value
should be 136(which will be changed to 152).
Adam,
ADManager Plus Team.
Post by Ragnar
Yes, the environment meets all requirements as described in the
documentation, including SP1 (I have R2)...
/Ragnar
Post by .Josh
Your DC's at SP1?
Post by Ragnar
Hi
I'm performing the BitLocker Active Directory schema extension with the
commands and files described in the "Configuring Active Directory to Back
up Windows BitLocker Drive Encryption and Trusted Platform Module
Recovery Information". However ldifde stops at step 13 and gives the
------------------------------------------------------------------------------------------------------------------------
CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=testdomain,dc=com
CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=testdomain,dc=com
changetype: modify
Attribute 0) searchFlags:152
Add error on line 223: Unwilling To Perform
The server side error is "The search flags for the attribute are invalid.
The ANR bit is valid only on attributes of Unicode or Teletex strings."
6 entries modified successfully.
An error has occurred in the program
------------------------------------------------------------------------------------------------------------------------
CN=ms-TPM-OwnerInformation,CN..."
Anyone experienced this?
Thanks.
/Ragnar
Sean Cai [MSFT]
2007-02-20 05:35:02 UTC
Permalink
Hello,

Thank you for posting here!

However, I notice you have posted the same question in another newsgroup
which another engineer is working on it. Please don't cross-post the same
question in multiple newsgroups in the future so that our engineers can
work on your question efficiently. Your understanding and cooperation is
appreciated.

Thank you and Have a nice day!

Sean Cai, MCSE2000
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Loading...