Troubleshooting: Active Directory Users and Computers Unexpectedly Returns 0 Results when Searching for Bitlocker Recovery Password

Symptoms

You have configured Bitlocker to backup the Recovery Password to Active Directory. You verified that the Recovery Password backup works successfully. To do so start Active Directory Users and Computers MMC with Enterprise Domain Admin privileges. Go to the computer object´s properties. In the Bitlocker Recovery Tab you see the successfully backuped Recovery Password.

You now write down the first 8 characters of the password ID. Then you use this 8 characters to search for the Recovery Password in ADUC "Find Bitlocker Recovery Password".

Result: Your search for "" returned no results.

Expected Result: The search retuns 1 hit.

Cause

The ms-FVE-RecoveryGuid attribute is not replicated to the Global Catalog (GC). The ADUC extension "Find Bitlocker Recovery Password" queries the GC to find the computer account.

Note: You can validate the cause by checking the replication status of ms-FVE-RecoveryGuid. Use the Active Directory Schema MMC and check the properties of this attribute. If "Replicate this attribute to the Global Catalog" is unchecked it is not replicated.

Note: For the Active Directory Schema snap-in to be available follow the steps on http://technet.microsoft.com/en-us/library/cc755885(WS.10).aspx.

This problem only happens when the Forest Functional Level is not higher than Windows 2000 when the Active Directory Schema was extended for the last time (adprep /forestprep).

Resolution

If you do not have the latest Active Directory Schema version, we recommend to resolve the problem by raising the forest functional level to higher than Windows 2000. Then deply the latest schema. When the FFL=1 or higher, PAS.LDF will be imported as part of the "adprep /forestprep" command.

If you already have the latest schema and/or cannot raise the Forest Functional Level , you can also resolve the problem through manual steps.
Verify the replication status of these 3 attributes to the Global Catalog:

ms-PKI-DPAPIMasterKeys
ms-PKI-AccountCredentials
ms-PKI-RoamingTimeStamp

You need to ensure that these 3 attributes are NOT in the Global Catalog. When you are using the Credential Roaming Feature of Active Directory (DIMS), you may see increased replication traffic and database size if the feature is used.

Corrective Action:

Open an elevated CMD on the Schema Master with Schema Administrator privileges:

C:\Windows\system32>ldifde /i /f PAS.ldf /c dc=x dc=YYY,dc=com
Note: replace "dc=YYY,dc=com" with the name of your forest

Note: you may recieve "error on line 58: Unwilling To Perform". In case you receive this error, please use the AD Schema Management Tool to verify that the three attributes listed above are not in the Global Catalog, and MS-FVE-RecoveryGuid and friends (see More Information section) are present in the GC.

More Information

Sample pas.ldf import:

Connecting to "SAMPLE-DC-NAME.CONTOSO.com"
Logging in as current user using SSPI
Importing directory from file "PAS.ldf"
Loading entries
1: CN=ms-DS-HAB-Seniority-Index,CN=Schema,CN=Configuration,dc=CONTOSO,dc=com
Entry DN: CN=ms-DS-HAB-Seniority-Index,CN=Schema,CN=Configuration,dc=CONTOSO,dc=com
Entry modified successfully.

2: CN=ms-DS-Phonetic-Last-Name,CN=Schema,CN=Configuration,dc=CONTOSO,dc=com
Entry DN: CN=ms-DS-Phonetic-Last-Name,CN=Schema,CN=Configuration,dc=CONTOSO,dc=com
Entry modified successfully.

3: CN=ms-DS-Phonetic-First-Name,CN=Schema,CN=Configuration,dc=CONTOSO,dc=com
Entry DN: CN=ms-DS-Phonetic-First-Name,CN=Schema,CN=Configuration,dc=CONTOSO,dc=com
Entry modified successfully.

4: CN=ms-DS-Phonetic-Department,CN=Schema,CN=Configuration,dc=CONTOSO,dc=com
Entry DN: CN=ms-DS-Phonetic-Department,CN=Schema,CN=Configuration,dc=CONTOSO,dc=com
Entry modified successfully.

5: CN=ms-DS-Phonetic-Display-Name,CN=Schema,CN=Configuration,dc=CONTOSO,dc=com
Entry DN: CN=ms-DS-Phonetic-Display-Name,CN=Schema,CN=Configuration,dc=CONTOSO,dc=com
Entry modified successfully.

6: CN=ms-DS-Phonetic-Company-Name,CN=Schema,CN=Configuration,dc=CONTOSO,dc=com
Entry DN: CN=ms-DS-Phonetic-Company-Name,CN=Schema,CN=Configuration,dc=CONTOSO,dc=com
Entry modified successfully.

7: CN=ms-FVE-VolumeGuid,CN=Schema,CN=Configuration,dc=CONTOSO,dc=com
Entry DN: CN=ms-FVE-VolumeGuid,CN=Schema,CN=Configuration,dc=CONTOSO,dc=com
Entry modified successfully.

8: CN=ms-FVE-RecoveryGuid,CN=Schema,CN=Configuration,dc=CONTOSO,dc=com
Entry DN: CN=ms-FVE-RecoveryGuid,CN=Schema,CN=Configuration,dc=CONTOSO,dc=com
Entry modified successfully.

9: CN=Last-Logon-Timestamp,CN=Schema,CN=Configuration,dc=CONTOSO,dc=com
Entry DN: CN=Last-Logon-Timestamp,CN=Schema,CN=Configuration,dc=CONTOSO,dc=com
Entry modified successfully.

10: CN=ms-PKI-DPAPIMasterKeys,CN=Schema,CN=Configuration,dc=CONTOSO,dc=com
Entry DN: CN=ms-PKI-DPAPIMasterKeys,CN=Schema,CN=Configuration,dc=CONTOSO,dc=com
Add error on line 58: Unwilling To Perform
The server side error is "The search flags for the attribute are invalid. The ANR bit is valid only on attributes of Unicode or Teletex strings."
9 entries modified successfully.
An error has occurred in the program