Extending Active Directory Schema for Bitlocker recovery information

Hi

I'm performing the BitLocker Active Directory schema extension with the
commands and files described in the "Configuring Active Directory to Back up
Windows BitLocker Drive Encryption and Trusted Platform Module Recovery
Information". However ldifde stops at step 13 and gives the following error:

------------------------------------------------------------------------------------------------------------------------
13:
CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=testdomain,dc=com
Entry DN:
CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=testdomain,dc=com
changetype: modify
Attribute 0) searchFlags:152

Add error on line 223: Unwilling To Perform
The server side error is "The search flags for the attribute are invalid.
The ANR bit is valid only on attributes of Unicode or Teletex strings."
6 entries modified successfully.
An error has occurred in the program
------------------------------------------------------------------------------------------------------------------------

Btw, line 223 in the ldif file is the first line above "13:
CN=ms-TPM-OwnerInformation,CN..."

Anyone experienced this?


Thanks.


/Ragnar

Your DC's at SP1?


"Ragnar" <Ragnar@noemail.noemail> wrote in message
news:87B133D5-CE85-46AA-9A7E-ADB74C2D7E4A@microsoft.com...
> Hi
>
> I'm performing the BitLocker Active Directory schema extension with the
> commands and files described in the "Configuring Active Directory to Back
> up Windows BitLocker Drive Encryption and Trusted Platform Module Recovery
> Information". However ldifde stops at step 13 and gives the following
> error:
>
> ------------------------------------------------------------------------------------------------------------------------
> 13:
> CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=testdomain,dc=com
> Entry DN:
> CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=testdomain,dc=com
> changetype: modify
> Attribute 0) searchFlags:152
>
> Add error on line 223: Unwilling To Perform
> The server side error is "The search flags for the attribute are invalid.
> The ANR bit is valid only on attributes of Unicode or Teletex strings."
> 6 entries modified successfully.
> An error has occurred in the program
> ------------------------------------------------------------------------------------------------------------------------
>
> Btw, line 223 in the ldif file is the first line above "13:
> CN=ms-TPM-OwnerInformation,CN..."
>
> Anyone experienced this?
>
>
> Thanks.
>
>
> /Ragnar

Yes, the environment meets all requirements as described in the
documentation, including SP1 (I have R2)...

/Ragnar



".Josh" <josh@win-nospam-dowsconnected.com> wrote in message
news:46392DCB-CF3B-4282-9C19-1CDCE1F30139@microsoft.com...
> Your DC's at SP1?
>
>
> "Ragnar" <Ragnar@noemail.noemail> wrote in message
> news:87B133D5-CE85-46AA-9A7E-ADB74C2D7E4A@microsoft.com...
>> Hi
>>
>> I'm performing the BitLocker Active Directory schema extension with the
>> commands and files described in the "Configuring Active Directory to Back
>> up Windows BitLocker Drive Encryption and Trusted Platform Module
>> Recovery Information". However ldifde stops at step 13 and gives the
>> following error:
>>
>> ------------------------------------------------------------------------------------------------------------------------
>> 13:
>> CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=testdomain,dc=com
>> Entry DN:
>> CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=testdomain,dc=com
>> changetype: modify
>> Attribute 0) searchFlags:152
>>
>> Add error on line 223: Unwilling To Perform
>> The server side error is "The search flags for the attribute are invalid.
>> The ANR bit is valid only on attributes of Unicode or Teletex strings."
>> 6 entries modified successfully.
>> An error has occurred in the program
>> ------------------------------------------------------------------------------------------------------------------------
>>
>> Btw, line 223 in the ldif file is the first line above "13:
>> CN=ms-TPM-OwnerInformation,CN..."
>>
>> Anyone experienced this?
>>
>>
>> Thanks.
>>
>>
>> /Ragnar
>

Hi,

Open the ADSI Edit(using adsiedit.msc) and check the availability
of searchFlags and their Syntax & Value.
Schema --> CN=Schema, CN=configuration,DC=testdomain,dc=com. Right
click and click Properties of the "CN=ms-TPM-OwnerInformation" object.
The searchFlags Attribute Syntax should be "Integer" and their value
should be 136(which will be changed to 152).

Adam,
ADManager Plus Team.


On Feb 18, 11:21 pm, "Ragnar" <Rag...@noemail.noemail> wrote:
> Yes, the environment meets all requirements as described in the
> documentation, including SP1 (I have R2)...
>
> /Ragnar
>
> ".Josh" <j...@win-nospam-dowsconnected.com> wrote in message
>
> news:46392DCB-CF3B-4282-9C19-1CDCE1F30139@microsoft.com...
>
> > Your DC's at SP1?
>
> > "Ragnar" <Rag...@noemail.noemail> wrote in message
> >news:87B133D5-CE85-46AA-9A7E-ADB74C2D7E4A@microsoft.com...
> >> Hi
>
> >> I'm performing the BitLocker Active Directory schema extension with the
> >> commands and files described in the "Configuring Active Directory to Back
> >> up Windows BitLocker Drive Encryption and Trusted Platform Module
> >> Recovery Information". However ldifde stops at step 13 and gives the
> >> following error:
>
> >> ------------------------------------------------------------------------------------------------------------------------
> >> 13:
> >> CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=testdomain,dc=com
> >> Entry DN:
> >> CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=testdomain,dc=com
> >> changetype: modify
> >> Attribute 0) searchFlags:152
>
> >> Add error on line 223: Unwilling To Perform
> >> The server side error is "The search flags for the attribute are invalid.
> >> The ANR bit is valid only on attributes of Unicode or Teletex strings."
> >> 6 entries modified successfully.
> >> An error has occurred in the program
> >> ------------------------------------------------------------------------------------------------------------------------
>
> >> Btw, line 223 in the ldif file is the first line above "13:
> >> CN=ms-TPM-OwnerInformation,CN..."
>
> >> Anyone experienced this?
>
> >> Thanks.
>
> >> /Ragnar

Hello

I checked (using adsiedit.msc) the searchFlags attribute for
CN=ms-TPM-OwnerInformation. It said 152, however I'm unable to change to 136
or choose OK when 152 is the value. I then get the following error message:
"The search flags for the attribute are invalid. The ANR bit is valid only
on attributes of Unicode or Teletex strings."

When checking msdn the error code for this message is:
ERROR_DS_INVALID_SEARCH_FLAG
8500

I'm allowed to set the value to 1 and clear the value, but not set to 136 or
152.

The searchFlags attribute syntax is Integer.

Any ideas? Thanks!



/Ragnar


<admp.team@gmail.com> wrote in message
news:1171888905.089602.259340@m58g2000cwm.googlegroups.com...
> Hi,
>
> Open the ADSI Edit(using adsiedit.msc) and check the availability
> of searchFlags and their Syntax & Value.
> Schema --> CN=Schema, CN=configuration,DC=testdomain,dc=com. Right
> click and click Properties of the "CN=ms-TPM-OwnerInformation" object.
> The searchFlags Attribute Syntax should be "Integer" and their value
> should be 136(which will be changed to 152).
>
> Adam,
> ADManager Plus Team.
>
>
> On Feb 18, 11:21 pm, "Ragnar" <Rag...@noemail.noemail> wrote:
>> Yes, the environment meets all requirements as described in the
>> documentation, including SP1 (I have R2)...
>>
>> /Ragnar
>>
>> ".Josh" <j...@win-nospam-dowsconnected.com> wrote in message
>>
>> news:46392DCB-CF3B-4282-9C19-1CDCE1F30139@microsoft.com...
>>
>> > Your DC's at SP1?
>>
>> > "Ragnar" <Rag...@noemail.noemail> wrote in message
>> >news:87B133D5-CE85-46AA-9A7E-ADB74C2D7E4A@microsoft.com...
>> >> Hi
>>
>> >> I'm performing the BitLocker Active Directory schema extension with
>> >> the
>> >> commands and files described in the "Configuring Active Directory to
>> >> Back
>> >> up Windows BitLocker Drive Encryption and Trusted Platform Module
>> >> Recovery Information". However ldifde stops at step 13 and gives the
>> >> following error:
>>
>> >> ------------------------------------------------------------------------------------------------------------------------
>> >> 13:
>> >> CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=testdomain,dc=com
>> >> Entry DN:
>> >> CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=testdomain,dc=com
>> >> changetype: modify
>> >> Attribute 0) searchFlags:152
>>
>> >> Add error on line 223: Unwilling To Perform
>> >> The server side error is "The search flags for the attribute are
>> >> invalid.
>> >> The ANR bit is valid only on attributes of Unicode or Teletex
>> >> strings."
>> >> 6 entries modified successfully.
>> >> An error has occurred in the program
>> >> ------------------------------------------------------------------------------------------------------------------------
>>
>> >> Btw, line 223 in the ldif file is the first line above "13:
>> >> CN=ms-TPM-OwnerInformation,CN..."
>>
>> >> Anyone experienced this?
>>
>> >> Thanks.
>>
>> >> /Ragnar
>
>

Hi Ragnar,

Thank you for using newsgroup!

I notice that you have posted the same question in our vista.general
newsgroup. In the future, please don't cross-post the same question in
multiple newsgroups. This will help our engineers work on your question
more efficiently. Your understanding and cooperation is appreciated.

Thanks & Regards,

Ken Zhao

Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security <http://www.microsoft.com/security>
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.





--------------------
| From: "Ragnar" <Ragnar@noemail.noemail>
| Subject: Extending Active Directory Schema for Bitlocker recovery
information
| Date: Sat, 17 Feb 2007 23:15:07 +0100
| Lines: 33
| Message-ID: <87B133D5-CE85-46AA-9A7E-ADB74C2D7E4A@microsoft.com>
| MIME-Version: 1.0
| Content-Type: text/plain;
| format=flowed;
| charset="iso-8859-1";
| reply-type=original
| Content-Transfer-Encoding: 7bit
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Windows Mail 6.0.6000.16386
| X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6000.16386
| X-MS-CommunityGroup-MessageCategory:
{E4FCE0A9-75B4-4168-BFF9-16C22D8747EC}
| X-MS-CommunityGroup-PostID: {87B133D5-CE85-46AA-9A7E-ADB74C2D7E4A}
| Newsgroups:
microsoft.public.windows.server.active_directory,microsoft.public.windows.vi
sta.general,microsoft.public.windows.vista.security
| Path: TK2MSFTNGHUB02.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.vista.general:41344
microsoft.public.windows.vista.security:1864
microsoft.public.windows.server.active_directory:8217
| NNTP-Posting-Host: TK2MSFTNGHUB02.phx.gbl 127.0.0.1
| X-Tomcat-NG: microsoft.public.windows.vista.security
|
| Hi
|
| I'm performing the BitLocker Active Directory schema extension with the
| commands and files described in the "Configuring Active Directory to Back
up
| Windows BitLocker Drive Encryption and Trusted Platform Module Recovery
| Information". However ldifde stops at step 13 and gives the following
error:
|
|
----------------------------------------------------------------------------
--------------------------------------------
| 13:
| CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=testdomain,dc=com
| Entry DN:
| CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=testdomain,dc=com
| changetype: modify
| Attribute 0) searchFlags:152
|
| Add error on line 223: Unwilling To Perform
| The server side error is "The search flags for the attribute are invalid.
| The ANR bit is valid only on attributes of Unicode or Teletex strings."
| 6 entries modified successfully.
| An error has occurred in the program
|
----------------------------------------------------------------------------
--------------------------------------------
|
| Btw, line 223 in the ldif file is the first line above "13:
| CN=ms-TPM-OwnerInformation,CN..."
|
| Anyone experienced this?
|
|
| Thanks.
|
|
| /Ragnar
|
|

""Ken Zhao [MSFT]"" <v-kzhao@online.microsoft.com> wrote in message
news:E1PZQoKVHHA.4056@TK2MSFTNGHUB02.phx.gbl...
> I notice that you have posted the same question in our vista.general
> newsgroup. In the future, please don't cross-post the same question in
> multiple newsgroups. This will help our engineers work on your question
> more efficiently. Your understanding and cooperation is appreciated.


Terminology correction:

Please _do_ cross-post. Cross-posting is where your Newsgroups line
contains multiple newsgroups, separated by commas. In Outlook Express /
Windows Mail, you can do this by clicking on the "Newsgroups" button (it is
a button, even though it doesn't look like one), and adding newsgroups to
the list of "Newsgroups to post to".

What is not generally a good idea is to multiple-post, or multi-post. This
is where you type (or paste) the same message several times over, into
different posts to different newsgroups.

The clue is: hit send once. If you hit Send more than once with the same
basic content, you are multi-posting, which is a bad thing.

Alun.
~~~~
--
Texas Imperial Software | Web: http://www.wftpd.com/
23921 57th Ave SE | Blog: http://msmvps.com/alunj/
Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.

Yes that was my understanding as well. I always liked cross-post because
some questions are very much related to multiple newsgroups. I totally agree
regarding multipost.

So what should I do, can I cross-post or not??

Thanks

/Ragnar



<alun@texis.invalid> wrote in message
news:%23%23fBpF7VHHA.4384@TK2MSFTNGP02.phx.gbl...
> ""Ken Zhao [MSFT]"" <v-kzhao@online.microsoft.com> wrote in message
> news:E1PZQoKVHHA.4056@TK2MSFTNGHUB02.phx.gbl...
>> I notice that you have posted the same question in our vista.general
>> newsgroup. In the future, please don't cross-post the same question in
>> multiple newsgroups. This will help our engineers work on your question
>> more efficiently. Your understanding and cooperation is appreciated.
>
>
> Terminology correction:
>
> Please _do_ cross-post. Cross-posting is where your Newsgroups line
> contains multiple newsgroups, separated by commas. In Outlook Express /
> Windows Mail, you can do this by clicking on the "Newsgroups" button (it
> is a button, even though it doesn't look like one), and adding newsgroups
> to the list of "Newsgroups to post to".
>
> What is not generally a good idea is to multiple-post, or multi-post.
> This is where you type (or paste) the same message several times over,
> into different posts to different newsgroups.
>
> The clue is: hit send once. If you hit Send more than once with the same
> basic content, you are multi-posting, which is a bad thing.
>
> Alun.
> ~~~~
> --
> Texas Imperial Software | Web: http://www.wftpd.com/
> 23921 57th Ave SE | Blog: http://msmvps.com/alunj/
> Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
> Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.
>
>

"Ragnar" <Ragnar@noemail.noemail> wrote in message
news:%23Zf70w%23VHHA.4384@TK2MSFTNGP02.phx.gbl...
> Yes that was my understanding as well. I always liked cross-post because
> some questions are very much related to multiple newsgroups. I totally
> agree regarding multipost.
>
> So what should I do, can I cross-post or not??


Cross-post judiciously. Limit yourself to only those newsgroups that are
most appropriate to your question. If you are posting looking for courses
for teaching your cat to hang-glide, post to
"rec.sports.hang-gliding,rec.pets.cats" - don't post to
rec.pets.felines,rec.pets.misc,sci.animals, etc, because those are already
covered more specifically to your question by rec.pets.cats.

Ken appears to be using the internal Microsoft tool, Tomcat (see the
X-Tomcat header), for dealing with newsgroups, which hasn't caught up with
the fact that newsgroups use cross-posting to allow experts from multiple
groups to weigh in on a discussion without causing the experts who are
reading multiple groups to have to read the message over and over.

This works nicely for most newsreaders written since the 1980s, which have
the ability to mark cross-posted articles as having been read in all
newsgroups. Tomcat is a little different.

Ken's warning does apply to multi-posting, though - that just irritates
people who try to help, because they see your message again and again,
across all the newsgroups.

Alun.
~~~~
--
Texas Imperial Software | Web: http://www.wftpd.com/
23921 57th Ave SE | Blog: http://msmvps.com/alunj/
Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.