Certificate autoenrollment and domain removal

G

Guest

What happens to the machine certificate of a workstation obtained by
autoenrollment when the workstation is later removed from the domain?

I thought the certificate would be revoked but it does not seem to work that
way. It looks like the certificate is still valid. Does this mean it has to
be revoked manually?

Thanks for your time
 
R

Rebecca Chen [MSFT]

Hello,

Yes, you need to manually revoke the certificates. The revoke process is
described in the following link:

How To Enable Enrollment of a Certificate Type for a User or Computer
http://www.microsoft.com/technet/security/guidance/secmod179.mspx

Any update, let us get in touch!

Best regards,

Rebecca Chen

MCSE2000 MCDBA CCNA


Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
 
G

Guest

Thanks for your answer Rebecca

Your answer means that if I want to use certificates obtained by
autoenrollment to control access to my network with an IPSec policy or 802.1x
for wired networks, I have to remove a computer from the domain AND revoke
its certificate if I want to deny it access.

Thank you for your time
 
R

Rebecca Chen [MSFT]

Hello,

You understanding is correct.

When a machine is removed from a domain or added to a new domain, all the
downloaded certificates from Active Directory will be removed and refreshed
if applicable. Certificates that were issued or autoenrolled from a
previous forest will not be removed unless the machine is a domain
controller. All client machines will automatically update certificates when
the domain or machine information changes. When machines or users have
certificates that are required for secure network communications, wireless
communications, and so on, it may be necessary to delete the old
certificates after joining a new domain or forest.

This is described in the following article, snippet " Removal of
Certificates on Domain Join/Change Domain".

Certificate Autoenrollment in Windows Server 2003
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
security/autoenro.mspx

Therefore, it would be better you revoke or delete the certificates first
and then disjoin the domain.

Further questions, let us get in touch!

Best regards,

Rebecca Chen

MCSE2000 MCDBA CCNA


Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

EFS and certificate revocation list 1
Expired Domain File Recovery Certificate 0
New EFS tool available - EFS Certificate Configuration Updater 14
User can logon after certificate is revoked 2
Windows XP computer certificate renewal from MS W2k Enterprise CA 3
Auto Enrollment Event ID: 13 Failed to enroll ... Certificate Access Denied 1
URGENT REQUEST: Certificates won't sign message 3
Unable to recover EFS file using recovery agent 5

Top