Recovery information was successfully backed up to active directory

By using our site, you acknowledge that you have read and understand our Cookie PolicyPrivacy Policyand our Terms of Service. Server Fault is a question and answer site for system and network administrators. It only takes a minute to sign up.

I have a device that needs to have its' bitlocker recovery backup up to AD for visibility in the "Bitlocker Recovery" tab of the object in Active Directory. I found that the device only had a TPM protector. So I added a Numerical Password.

I want to backup this numerical password to AD. Windows replies with: Recovery information was successfully backed up to Active Directory. You need to add a "Recovery Key", like this:. It seems that some devices just took more time for the key to appear.

I just tested with one device that wound up taking about 20 minutes to reflect changes in AD. Sign up to join this community. The best answers are voted up and rise to the top. Home Questions Tags Users Unanswered. Ask Question. Asked 1 year, 3 months ago. Active 1 year, 3 months ago. Viewed times. KeyProtectorId getting a 0 exit code, but nothing published to AD. Is there something I'm missing here? How can I get this password backed up to AD? Have you gone back and double-checked the AD object since originally checking it?

Due to replication, there might be some delay before the change becomes visible. It's pretty instantaneous for most machines, but you might be onto something. I will reply back in short time. Active Oldest Votes. This exact method is working for other devices, backing up their Recovery Key to AD. Are you sure this PC is getting the correct group policy? If the Local Policy set and overwriting the Group Policy?This section will help you understand the difference between doing a full server backup and a system state backup.

The system state backup includes only the components needed to restore Active Directory. The system state includes the following:. The Windows server backup utility gets a bad wrap, mostly because it is used incorrectly. It is not a solution for backing up your entire enterprise but works great for specific use cases like backing up Active Directory.

Now just click next a few times to get to the select features page. I prefer to use the full backup option instead of the system state backup. This option allows you to easily restore if the operating system or Active Directory becomes corrupt. It includes the system state so you can choose to restore the entire server or just the system state.

The steps for backing up just the system state are the same you will just choose custom instead of full server. Important: When doing a full backup the disk cannot be larger than the one you are restoring to.

recovery information was successfully backed up to active directory

So if the server you are backing up has a disk size of 50GB, the backup disk cannot be larger than this. The Windows backups are very efficient, the first backup is full then it will do incremental backups. In the above screenshot, the backup configuration will tell you how large the backup size will be. Unless you have 3rd party programs and files on your domain controller the backup should be fairly small. After the first backup, it will do an incremental and only backup the changes.

Configure the backup schedule that works best for you. In my environment, I configured a daily backup at PM. Then choose the volume that you configured from step 1. The backup configuration is complete but we need to change a few settings in the scheduled task that was created. On the settings screen change the task to stop running if it runs longer than 2 hours.

Also, check the box to allow the task to be run on demand. If you want you could right click the task and run it. The backup process may cause a bit of CPU usage so you may need to wait. The first backup will be a full backup. The next 14 backups will be incremental then it will do another full backup. The backup configuration is complete, Active Directory will now backup on a daily basis or whatever schedule you configured it for. This is a tested solution that I found from Microsoft and that I use in production.

To automate monitoring of the backups you will configure a scheduled task to trigger an action when event ID 4 has been logged.

recovery information was successfully backed up to active directory

The scheduled task will trigger a PowerShell script when event ID 4 is logged. The script will send an email message. Active Directory is one of the most critical components in a Windows environment. It seems like everything is dependent on Active Directory or DNS and if it crashes nothing works right or at all. Fortunately, they had backups and was able to recover the domain controllers.For more info, see BitLocker Group Policy settings.

The BitLocker Windows Management Instrumentation WMI interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information; however, BitLocker does not automatically manage this process. Joining a computer to the domain should be the first step for new computers within an organization.

Yes, an event log entry that indicates the success or failure of an Active Directory backup is recorded on the client computer. In addition, it is also possible that the log entry could be spoofed.

To identify the latest password, check the date on the object. With these settings configured if the backup fails, BitLocker cannot be enabled, ensuring that administrators will be able to recover BitLocker-protected drives in the organization. Instead, administrators can create a script for the backup, as described earlier in What if BitLocker is enabled on a computer before the computer has joined the domain? You may also leave feedback directly on GitHub.

Skip to main content.

recovery information was successfully backed up to active directory

Exit focus mode. The password hash can be stored only if the TPM is owned and the ownership was taken by using components of Windows 8. BitLocker recovery password The recovery password allows you to unlock and access the drive in the event of a recovery incident.

BitLocker key package The key package helps to repair damage to the hard disk that would otherwise prevent standard recovery. What if BitLocker is enabled on a computer before the computer has joined the domain?

KeyProtectorID Important Joining a computer to the domain should be the first step for new computers within an organization. Is this page helpful? Yes No. Any additional feedback? Skip Submit. Send feedback about This product This page. This page. Submit feedback. There are no open issues. View on GitHub. The recovery password allows you to unlock and access the drive in the event of a recovery incident.

The key package helps to repair damage to the hard disk that would otherwise prevent standard recovery.Has anyone else come across this with Serveror have any suggestions what I should be checking? You can then use the defaults, although I also ticked "Do not enable Bitlocker until recovery information is stored Now for the bit I did different to my original post.

From a domain admin account open powershell and use.

How to backup and restore Active Directory

If you now look at the computer object within AD you should see the recovery key. Don't forget to refresh if you've left it open. The next step for me will be to put this into a script that can be used during login to backup the recovery keys for those laptops I've already encrypted. AStaUKyour post here fixed my issue! I have seen it in I could never get them all to show. Even when requiring the key to be stored in AD before Bitlocker is allowed to be enabled.

I have only one DC with the Bitlocker schema. When we went to O the Bitlocker schema was wiped out by the exchange schema needed for O on the main DC. I'm working on MBAM now.

recovery information was successfully backed up to active directory

The Bitlocker Recovery tab is there, but there isn't anything showing in it. Likewise trying Find Bitlocker Recovery Key doesn't find anything. Thanks, that's the process I followed to enable backing up of the recovery key to AD. I think I'm going to setup a couple of VM's within my test environment and see if I get the same result. One thing although I don't think it's relevant I've not set the. Also the laptops should be backing up the recovery key to msFVE-RecoveryInformation which they already have permissions for.

Hi, did you ever end up resolving this? I'm seeing similar behaviour, if not the same thing. Unfortunately no, its taken a bit of a back burner and I've not really looked at it since my last post. How did you fix the GPO not applying? It's a random occurrence. To continue this discussion, please ask a new question. Get answers from your peers along with millions of IT pros who visit Spiceworks.

We found 6 helpful replies in similar discussions:. Fast Answers! CrimsonKidA Feb 07, AStaUK wrote: This was bugging me so I've been back and taken another look at it and now have it working. Was this helpful? AStaUK Nov 24, This was bugging me so I've been back and taken another look at it and now have it working.

See all 6 answers. Popular Topics in Windows Server. Spiceworks Help Desk.This is one of the coolest features of the BitLocker Drive Encryption technology for corporate users.

A domain security administrator can monitor the BitLocker recovery keys and passwords manually if the number of the computers in the company network is not very large. Group Policies GPOs allow you to configure BitLocker agent on user workstations to back up BitLocker recovery keys from local computers to the related computer objects in the Active Directory. Each BitLocker recovery object has a unique name and contains a globally unique identifier for the recovery password and optionally a package containing the key.

If the computer object in Active Directory stores several recovery passwords, the name of data object will contain the password creation date. Name of the BitLocker recovery object is limited to 64 characters, so the original should be allowed a bit password. BitLocker recovery data storage feature is based on the extension of the Active Directory schema, and bringing additional attributes. Starting from Windows Serverthese attributes are available by default, but it still requires an additional configuration for further functioning.

The same is applicable on the computers running newest Windows Server build. This feature can be installed from Server Manager console or using PowerShell:. If the BitLocker encrypted drive was configured on some computers earlier, just disable and enable the BitLocker feature for this drive, or copy the recovery key to the Active Directory manually using the manage-bde tool. To perform this action you should logon on the workstation under domain account and have the local administrator permissions.

The operation was not attempted. You can delegate the permissions to view information about BitLocker recovery keys in AD to a certain group of users for example, security administrators. The same is applicable on the computers running following versions of Windows Server Posted by Rich June 28, Can more than OU be set up to allow recovery keys be written to?

Posted by Dave July 18, Posted by matt August 13, Posted by Brian Bergquist November 23, Add Your Comment Click here to cancel reply. This site uses cookies to analyze traffic, personalize your experience and serve ads. By continuing browsing this site, we will assume that you are agree with it. I agree! Read more.So I've recently taken over a very oddly cobbled together AD. I'd like to add desktops to my list of encrypted devices as they have TPM modules built in.

The licensing expires in a few weeks and I wanted to try and store the Bitlocker keys in AD like at my previous employer. I've added all the features for bitlocker, I can see the bitlocker tab in AD. On the test system I ran the powershell backup script and it succeeded with a "Recovery Information was successfully backed up to Active Directory" but AD does not see it.

I'm not sure if I'm missing something, or if this third party backup agent could be interfering with the actual storage of the key. I even tried the find bitlocker recovery password and put in the first 8 digits and it found nothing.

I have to be able to show that AD is capable of backing up and storing the keys before they will be open to removing the agent based backup and canceling the service. I'm not sure if I missed a step somewhere.

Backup Active Directory (Full and Incremental Backup)

What script did you run? Did you try manually runn the manage-bde command? Did you use a run as account with write access to AD? I think manage-bde is one of those that behaves badly in PS and has to be run from cmd, if memory serves me right. Did you follow any other steps? Does your account have permissions to view the protected information on the BitLocker tab in AD?

Backing Up BitLocker Recovery Keys to Active Directory with Group Policy - Exam 70-398

Not sure why it took two updates. I had quite the day yesterday of frustrations of trying to troubleshoot wireless issues with zero logging and insight into the network I inherited I felt like I must be missing something on this. Yes I think I have it figured out.

The GP update didn't pull the new GPO the first time and I had a frustrating day yesterday so thought I must have missed something since it wasn't working. Get answers from your peers along with millions of IT pros who visit Spiceworks. Spiceworks Help Desk. The help desk software for IT. Track users' IT needs, easily, and with only the features you need. Justin This person is a verified professional.

Verify your account to enable IT peers to see that you are a professional. Evan Oct 1, at UTC. Justin wrote: I think manage-bde is one of those that behaves badly in PS and has to be run from cmd, if memory serves me right. Manage-bde works fine in Powershell. I run it in Powershell without issue every day. Justin wrote: What script did you run? Replace Attachment. Add link Text to display: Where should this link go? Add Cancel.

Insert code.If you've ever had to perform a recovery of a domain controller or of an entire Active Directory database, then you have no doubt discovered that restoring domain controllers is something of an art form. With Active Directory restorations, it is important that you understand how the restoration process works and that you are aware of the various caveats to the process. A non-authoritative restore restores a single domain controller to its previous state, but then the Active Directory replication process brings that domain controller up to date.

When you perform a non-authoritative restore, you revert a single domain controller to its state at the time of the backup. The Active Directory information from the remaining domain controllers is then used to bring the recently restored domain controller up to date. In these types of situations, the best thing that you can do is to manually reinstall Microsoft Windows, and then join the server to the domain.

Keep in mind that if you are using the same server name, then you will need to clean out the existing Active Directory records for the computer account or reset the computer account before you attempt to join the domain. The last step in the procedure is to designate the server to act as a domain controller. After you do, then your remaining domain controllers will replicate the contents of the Active Directory database to your newly rebuilt domain controller.

Some of these roles exist at the forest level, and others exist at the domain level. It is important that you know which domain controllers these roles have been assigned to because there are consequences to restoring these domain controllers. Restoring the RID master can sometimes result in Active Directory corruption this is especially true of Windowsso you should try to avoid restoring the Relative Identifier Master unless you are performing an authoritative Active Directory restoration.

The same can be said of the Schema Master. The Schema Master is responsible for maintaining the Active Directory schema. If you restore the Schema Master, you can end up with orphaned objects or attributes in the Active Directory. You should therefore try to avoid restoring the Schema Master unless you are performing an authoritative restoration.

Transferring Flexible Single Master Operations roles is the preferred method for reassigning the FSMO roles to a different domain controller, but you can only transfer a role if the server that currently holds the role is available and healthy. In situations in which a role holder has failed catastrophically and there is no chance of recovering it server, you will have to seize the role.

Seizing a role should generally be used as a last resort. A Global Catalog server contains a record of every object in the forest. Global catalog failures can have some interesting consequences.

For example, many applications perform Active Directory searches over port These searches will fail if a global catalog server is not present. I have also seen situations in which a global catalog failure prevented all users except for the domain administrator from being able to log in. In other words, make sure that you are backing up at least one global catalog server.