Bitlocker -- Moving machines between AD domains
I have bitlocker enabled machines joined to a domain I need to join them to another domain (as part of a business unit divestment project) in a "big bang" approach i.e. no coexistent and no tools (ADMT Quest etc) just simply join to new domain what will happen to the bitlocker recovery key it is already stored in the source AD my real question I suppose is is the bitlocker recovery key linked to the source domain in any way, other than storage can i simply use the manage-bde utility to export/record them or push them back in the target AD (or use GPO,) I want to avoid a future situation where a recovery key is needed -- but is only recored in the old domain as I will have no access to this moving forward. hope the above makes sense
June 28th, 2012 8:13am

Hi, If you delete a computer object from AD, you will also delete the BitLocker Recovery Information which is a child object. But you can utilize cmdlets to store the recovery key to the new AD. Please refer to the following blog. http://blogs.technet.com/b/arnaud_jumelet/archive/2010/11/12/how-to-regenerate-the-bitlocker-numerical-recovery-password.aspx Juke Chou TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedbackhere. Juke Chou TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
June 29th, 2012 5:19am

ok thanks I did a test, and it looks like the recovery key is part of the workstation build and although stored in AD is alspo stored locally on the workstation, so aslong as that is recorded before the machine is moved into the new AD we will be fine we can then decide whether to store the key in the new AD via GPO cheers James
June 29th, 2012 5:27am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics