Bitlocker MBAM question

Silly question.. but I've never done it before.
 
I've got to install Microsoft BitLocker Administration and Monitoring and get it running.  I'm sure someone here has done it before.  I'm curious about the security required.
 
When I'm running the installer, I assume that while installing the servers, I will need to be a local admin on the servers.  But what rights might I need in AD?  For example, when a policy is defined on the template system, does the user need to be a domain admin?  How does the MBAM system get the policies to apply to AD?  I just wasn't sure what rights the person running the installers needs to have.  But I'm guessing he/she needs domain admin.
 
Many thanks!
 
 

When creating a policy you simply need the appropriate rights to create and assign policy.  I am not a domain admin but I am a GPO admin and MBAM admin (we are just now expanding our MBAM POC).  You will need to import the appropriate MBAM policies to AD for the clients t oget MBAM to work properly.
 
Here is a good resource for MBAM, ifyou have not seen it already.
http://technet.microsoft.com/en-us/video/microsoft-bitlocker-administration-and-monitoring-mbam.aspx

Yeah, I've already seen that one.
Since you've installed this.. let me ask this.  If I understand that architecture right, having the MBAM servers on a 'high availability' status isn't that important.  If my servers go down for a bit my MBAM Client will just sit and wait until it can reach the mbam admin site and update it's policies.  It looks like the mbam client works not unlike the sccm client in that it needs to reach the mbam admin systems prior to executing any changes.  Am I correct?  (for example, if the MBAM servers are down, but the machine is on AD and GPO says to encrypt, will it still encrypt immediately or will it wait for the MBAM server to come back up to verify hardware etc is approved?)
 
Also, have you had any problems with people on the road with a MBAM implementation?  (bit locker to go)

MBAM was designed to be fault tolerant when a server is down so when that happens, users aren't prompted for action. 
 
You can also configure the Administration and Monitoring server to use a network load balancing cluster for additional fault tolerance to ensure the web services are available to provide recovery keys in case one needs to be offline. 

That is a good question.  We have not run into that yet, we have only just begun to deploy this.  As to the people on the road, most of the ones we are deploying too are laptops and thus I have not heard of report where it fails in that regard.  The bitlocker to go is for USB removable drives and has no bearing on whether a system is internal or external and we are not implementing that.

Ugh..this was a dupe sorry.  WIN8 and IE 10 hiccup there.

Hi Jeff, 
 
Are there any specific instructions/configurations needed for using a NLB?  I've got everything setup on a single server already but want to move to a NLB setup.  
 
Thanks, 
 
Dustin

Hi Dustin,
 
There are no specific instructions on this out there (yet), but the process is pretty straightforward. You just install the administration and monitoring server bits on the servers that will be in the NLB, configure them to work in an NLB, and then modify the GPO settings to point clients to the NLB name for the MBAM services endpoint. I'm actually planning to blog this process in my lab, but haven't finished it yet. I'll link to that from this series when I'm finished though: myitforum.com/myitforumwp/2012/08/16/how-to-configure-an-nlb-in-hyper-v-part-1/ .