Expired Certificate on W2k3 affecting Encrypting and Recovery Poli

E

Eager Learner

BACKGROUND:

Environment: W2k3 running AD not running Certificate Authority (CA)
Clients: Windows XP

The certificates I have on my W2k3 which is running AD expired on 7/6/2007.
It was bought to my attention when our users were unable to encrypt and
decrypt their files. Therefore, when I logon as a domain admin or user I
cannot encrypt on any computer on the domain.

The error I get is:

"Recovery policy configured for this system contains invalid recovery
certificate"

I go to the W2k3 server and go to Certmgr.msc. Attempt to request for the
certificate from Certificates>Personal folder but it indicates I need a
Certificate Authority. When I attempt to renew it indicates it does not
contain enough information to renew.

Furthermore, all my users who have encrypted their files prior to the
certificate expiring cannot save or open any of their documents in the
encrypted folder. However, I did backup the PFX that is specific to their
profile so I hope I can recover.

One other thing is one of my admin deleted the (Recovery Agent. Looks like
a certificate? )from the Default Domain Policy in Public Key
Policy>Encrypting File System. It is .CER file which I cannot re-create. I
hope this does not affect my recovery?

Question:

1. With that said. My short term goal here is to have update the
certificate so our users can encrypt. Or be able to encrypt without
encounter the error above.

2. Will deleting the recovery agent from the policy affect me. How do I
recreate a new recovery agent? Does it have to be on the server where my AD
is residing?

3. What is the proper way to setup EFS? I have a feeling my way is the
long way. So I keep a certificate for every laptop the users encrypts their
My Document folder. I want only one master key to recover the encrypted file.

Any help would be greatly appreciated by this newbie.
 
D

Dragos CAMARA

hi,
it seems you dont have a CA on your domain. here is a link with what you
have to do :
http://support.microsoft.com/kb/937536

if the recovery agent it was deleted for sure it will affect you.

it' better to have a CA instaled on your domain
--
Dragos CAMARA
MCSA Windows 2003 server


"Eager Learner" wrote:

> BACKGROUND:
>
> Environment: W2k3 running AD not running Certificate Authority (CA)
> Clients: Windows XP
>
> The certificates I have on my W2k3 which is running AD expired on 7/6/2007.
> It was bought to my attention when our users were unable to encrypt and
> decrypt their files. Therefore, when I logon as a domain admin or user I
> cannot encrypt on any computer on the domain.
>
> The error I get is:
>
> "Recovery policy configured for this system contains invalid recovery
> certificate"
>
> I go to the W2k3 server and go to Certmgr.msc. Attempt to request for the
> certificate from Certificates>Personal folder but it indicates I need a
> Certificate Authority. When I attempt to renew it indicates it does not
> contain enough information to renew.
>
> Furthermore, all my users who have encrypted their files prior to the
> certificate expiring cannot save or open any of their documents in the
> encrypted folder. However, I did backup the PFX that is specific to their
> profile so I hope I can recover.
>
> One other thing is one of my admin deleted the (Recovery Agent. Looks like
> a certificate? )from the Default Domain Policy in Public Key
> Policy>Encrypting File System. It is .CER file which I cannot re-create. I
> hope this does not affect my recovery?
>
> Question:
>
> 1. With that said. My short term goal here is to have update the
> certificate so our users can encrypt. Or be able to encrypt without
> encounter the error above.
>
> 2. Will deleting the recovery agent from the policy affect me. How do I
> recreate a new recovery agent? Does it have to be on the server where my AD
> is residing?
>
> 3. What is the proper way to setup EFS? I have a feeling my way is the
> long way. So I keep a certificate for every laptop the users encrypts their
> My Document folder. I want only one master key to recover the encrypted file.
>
> Any help would be greatly appreciated by this newbie.
>
 
Back
Top Bottom