Bitlocker -- Moving machines between AD domains
-
Thursday, June 28, 2012 12:06 PM
I have bitlocker enabled machines joined to a domain
I need to join them to another domain (as part of a business unit divestment project) in a "big bang" approach i.e. no coexistent and no tools (ADMT Quest etc)
just simply join to new domain
what will happen to the bitlocker recovery key – it is already stored in the source AD
my real question I suppose is “is the bitlocker recovery key linked to the source domain in any way, other than storage
can i simply use the manage-bde utility to export/record them or push them back in the target AD (or use GPO,)
I want to avoid a future situation where a recovery key is needed -- but is only recored in the old domain as I will have no access to this moving forward.
hope the above makes sense
All Replies
-
Friday, June 29, 2012 9:11 AMModerator
Hi,
If you delete a computer object from AD, you will also delete the BitLocker Recovery Information which is a child object. But you can utilize cmdlets to store the recovery key to the new AD.
Please refer to the following blog.
Juke Chou
TechNet Subscriber Support
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedbackhere.Juke Chou
TechNet Community Support
- Marked As Answer by Hodgy0_2 Friday, June 29, 2012 9:20 AM
-
Friday, June 29, 2012 9:19 AM
ok thanks
I did a test, and it looks like the recovery key is part of the workstation build and although stored in AD is alspo stored locally on the workstation, so aslong as that is recorded before the machine is moved into the new AD we will be fine
we can then decide whether to store the key in the new AD via GPO
cheers
James
.png)
