Hello,
You understanding is correct.
When a machine is removed from a domain or added to a new domain, all the
downloaded certificates from Active Directory will be removed and refreshed
if applicable. Certificates that were issued or autoenrolled from a
previous forest will not be removed unless the machine is a domain
controller. All client machines will automatically update certificates when
the domain or machine information changes. When machines or users have
certificates that are required for secure network communications, wireless
communications, and so on, it may be necessary to delete the old
certificates after joining a new domain or forest.
This is described in the following article, snippet " Removal of
Certificates on Domain Join/Change Domain".
Certificate Autoenrollment in Windows Server 2003
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
security/autoenro.mspx
Therefore, it would be better you revoke or delete the certificates first
and then disjoin the domain.
Further questions, let us get in touch!
Best regards,
Rebecca Chen
MCSE2000 MCDBA CCNA
Microsoft Online Partner Support
Get Secure! -
www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------