Managing Microsoft Bitlocker Administration & Monitoring (MBAM) Between Different Forests
Does anyone know whether it is possible to use a central recovery key database (and associated reporting etc.) that includes machines from two seperate domains in two different forests?
My customer has a domain from where they would like to centrally manage the resources from another domain in a seperate Forest and I wondered if this was supported within MBAM.
I can't see anything obvious in the documentation for MBAM so wondered if anyone out there knew if this was possible?Jonathan Conway | My blog: Conway's IT Blog | Twitter:
jonconwayuk | Linkedin:
Jonathan Conway
MCITP: Enterprise Administrator MCP MCSE 2003 MCTS SCCM 2007, Windows 7 Config & Deploying VCP
June 8th, 2012 10:38am
Hi,
Based on my understanding, Your purpose cannot be achieved.
Also, due to involving AD role, it is better to ask the issue in Server Forum.
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads
Juke Chou
TechNet Subscriber Support
If you are
TechNet Subscription user and have any feedback on our support quality, please send your feedbackhere.Juke Chou
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
June 11th, 2012 5:40am
Hi,
Based on my understanding, Your purpose cannot be achieved.
Also, due to involving AD role, it is better to ask the issue in Server Forum.
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads
Juke Chou
TechNet Subscriber Support
If you are
TechNet Subscription user and have any feedback on our support quality, please send your feedbackhere.
Juke Chou
TechNet Community Support
Hi Juke, thanks for your response.
Are you able to qualify your understanding of why this cannot be achieved as I need to make a design decision for this topic and would need some supporting information to justify the decision?
My question relates specifically to MBAM and not the AD role hence why I've asked it in the Windows 7 Security forum which seems to be the correct area for queries around the MDOP MBAM product.Jonathan Conway | My blog: Conway's IT Blog | Twitter:
jonconwayuk | Linkedin:
Jonathan Conway
MCITP: Enterprise Administrator MCP MCSE 2003 MCTS SCCM 2007, Windows 7 Config & Deploying VCP
June 11th, 2012 5:47am
Hi,
Because MBAM needs Group Policy support. Also, when the clients send the Recovery Keys to Server for centralizing data, all the data is very sensitive so that it is encrypted based on PKI.
Juke Chou
TechNet Community Support
Group Policy - Domain A holds the root MBAM server. Domain B is the one I want to add so that it also utilises the MBAM server in domain A. If I configure the relevant GPO in domain B to point to the MBAM server in Domain A then no further configuration should
be required for GPO?
Certificates - As I understand it as long as the certificate for the MBAM server in Domain A is trusted in Domain B (and the firewall allows this communication) then there shouldn't a problem. Please let me know if this is inaccurate as I
am basing this on theory and not experience.
The goal behind all this is to allow centralised monitoring and administration of MBAM data for both domains if possible as this will help reduce complexity and centralise administration in our customers environment.Jonathan Conway | My blog: Conway's IT Blog | Twitter:
jonconwayuk | Linkedin:
Jonathan Conway
MCITP: Enterprise Administrator MCP MCSE 2003 MCTS SCCM 2007, Windows 7 Config & Deploying VCP
Free Windows Admin Tool Kit Click here and download it now
June 11th, 2012 6:10am
Hi,
You cannot link a policy residing in another forest even if they are trusted.
Trust is only used for authentication of accessing the resource across forest.
I will involve a person who is familiar with MBAM to demonstrate this. So sorry for this.
Juke Chou
TechNet Community Support
June 12th, 2012 3:34am
Hi,
You cannot link a policy residing in another forest even if they are trusted.
Trust is only used for authentication of accessing the resource across forest.
I will involve a person who is familiar with MBAM to demonstrate this. So sorry for this.
Juke Chou
TechNet Community Support
Thanks again for your reply - I'm fully aware of how GPO and Ad Trusts works but what I'm suggesting is having a separate MBAM policy defined in Domain B which defines the details for the MBAM server in Domain A i.e. the MBAM Recovery and
Hardware service endpoint and MBAM compliance service endpoint etc.
If you are able to involve someone with more experience of MBAM then that would be great.Jonathan Conway | My blog: Conway's IT Blog | Twitter:
jonconwayuk | Linkedin:
Jonathan Conway
MCITP: Enterprise Administrator MCP MCSE 2003 MCTS SCCM 2007, Windows 7 Config & Deploying VCP
Free Windows Admin Tool Kit Click here and download it now
June 12th, 2012 4:25am
I think you can refer to the following Microsoft for some information:
Planning Guide: http://onlinehelp.microsoft.com/en-us/mdop/hh285653.aspx
Deployment Guide: http://onlinehelp.microsoft.com/en-us/mdop/hh285644.aspx
Operations Guide: http://onlinehelp.microsoft.com/en-us/mdop/hh285664.aspx
Troubleshooting MBAM: http://onlinehelp.microsoft.com/en-us/mdop/hh352745.aspx
Microsoft BitLocker Administration and Monitoring (MBAM) Documentation Resources Download Page
http://www.microsoft.com/download/en/details.aspx?id=27555
Thanks
Zero
Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
June 13th, 2012 7:39am
I think you can refer to the following Microsoft for some information:
Planning Guide: http://onlinehelp.microsoft.com/en-us/mdop/hh285653.aspx
Deployment Guide: http://onlinehelp.microsoft.com/en-us/mdop/hh285644.aspx
Operations Guide: http://onlinehelp.microsoft.com/en-us/mdop/hh285664.aspx
Troubleshooting MBAM: http://onlinehelp.microsoft.com/en-us/mdop/hh352745.aspx
Microsoft BitLocker Administration and Monitoring (MBAM) Documentation Resources Download Page
http://www.microsoft.com/download/en/details.aspx?id=27555
Thanks
Zero
Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Hi Zero - Thanks for your reply. I have read all of the documents listed and my particular scenario isn't covered in any of them to my knowledge.Jonathan Conway | My blog: Conway's IT Blog | Twitter:
jonconwayuk | Linkedin:
Jonathan Conway
MCITP: Enterprise Administrator MCP MCSE 2003 MCTS SCCM 2007, Windows 7 Config & Deploying VCP
Free Windows Admin Tool Kit Click here and download it now
June 13th, 2012 7:43am
I am in a similar scenario at the moment and this was the only topic that I could find regarding MBAM across different forest. Did this setup ever work for you? I am just wondering if you did some testing and what failed? It seems to me like the agent
that is needed to run on the computers will only enforce the policies from the domain where the MBAM instance is located. Thanks for your time.
October 31st, 2012 10:56pm