Troubleshooter: Moving Certificates While Migrating Users to Win2K and Later

We use Windows 2000's Certificate Services to issue X.509 V3 certificates to our users so that they can send and receive Secure MIME (S/MIME) mail in Outlook. We're planning to migrate some users from a Windows NT 4.0 domain to Win2K. How can we move their certificates?

The OS typically stores a user's certificate in a protected storage container in the user profile. The certificate for a user with a roaming profile follows the user—typically something you want to happen because the certificate isn't usable without the user's certificate password. However, you'll hit a snag if you migrate such users from NT 4.0 to Win2K or later because the Microsoft Active Directory Migration Tool (ADMT) can't move the certificates in the roaming profiles. Also, the protected storage service can't tell that such a user's new account SID is the same as the old one because the service doesn't know about the SID history that ADMT creates. Accordingly, if you use ADMT to migrate user accounts, the users won't be able to access the certificates after the migration. No workaround to this problem exists, although (depending on how users have chosen to secure their local protected storage container) you might be able to export the certificates and reimport them to the new account.