Microsoft KB Archive/936121

= You receive an error message when you update the schema to enable BitLocker Drive Encryption recovery information in an Active Directory forest =

Article ID: 936121

Article Last Modified on 10/11/2007

-

APPLIES TO

 Microsoft Windows Server 2003 SP1, when used with:  Microsoft Windows Server 2003, Standard Edition (32-bit x86)

 Microsoft Windows Server 2003, Enterprise Edition  Microsoft Windows Server 2003, Standard x64 Edition Microsoft Windows Server 2003, Enterprise x64 Edition

-

<div class="notice_section">

<div class="notice_section">

Beta Information
This article discusses a beta release of a Microsoft product. The information in this article is provided as-is and is subject to change without notice.

No formal product support is available from Microsoft for this beta product. For information about how to obtain support for a beta release, see the documentation that is included with the beta product files, or check the Web location where you downloaded the release.

<div class="symptoms_section">

SYMPTOMS
In an Active Directory forest, you update the schema to enable BitLocker Drive Encryption recovery information. However, when you use the BitLockerTPMSchemaExtension.ldf file to update the schema, you receive the following error message:

12: CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=ANRCheck, DC=nttest, DC=microsoft, DC=com

Entry DN: CN=ms-TPM-OwnerInformation,CN=Schema,CN=Configuration,DC=ANRCheck, DC=nttest, DC=microsoft, DC=com

changetype: modify

Attribute 0) searchFlags:152

Add error on line 203: Unwilling To Perform

The server side error is &quot;The search flags for the attribute are invalid. The ANR bit is valid only on attributes of Unicode or Teletex strings.&quot;

5 entries modified successfully.

An error has occurred in the program

<div class="cause_section">

CAUSE
This problem occurs if the following conditions are true:
 * The Active Directory forest in which you are updating the schema contains domain controllers that are running Microsoft Windows Server Code Name &quot;Longhorn.&quot;
 * The domain controller that serves as the schema master is running Microsoft Windows Server 2003.

<div class="resolution_section">

RESOLUTION
If the domain controller is running the Beta 3 release of Windows Server Code Name &quot;Longhorn&quot; or a later version, you do not have to use the BitLockerTPMSchemaExtension.ldf file to update the schema. Windows Server Code Name &quot;Longhorn&quot; includes the necessary schema updates to support BitLocker Drive Encryption.

If the domain controller is running a version of Windows Server Code Name &quot;Longhorn&quot; that is earlier than Beta 3, transfer the schema master role to a domain controller that is running Windows Server Code Name &quot;Longhorn.&quot; Then, reapply the schema updates. For more information about how to transfer the schema master role, click the following article number to view the article in the Microsoft Knowledge Base:

324801 How to view and transfer FSMO roles in Windows Server 2003

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

<div class="moreinformation_section">

MORE INFORMATION
To obtain the BitLockerTPMSchemaExtension.ldf file, visit the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?FamilyID=3a207915-dfc3-4579-90cd-86ac666f61d4&DisplayLang=en

After you update the Active Directory schema to support BitLocker Drive Encryption, you can back up the recovery information for BitLocker Drive Encryption in Active Directory. For more information, visit the following Microsoft TechNet Web site:

http://technet2.microsoft.com/WindowsVista/en/library/3dbad515-5a32-4330-ad6f-d1fb6dfcdd411033.mspx

Keywords: kberrmsg kbtshoot kbprb kbexpertiseinter KB936121

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.