E
Eager Learner
BACKGROUND:
Environment: W2k3 running AD not running Certificate Authority (CA)
Clients: Windows XP
The certificates I have on my W2k3 which is running AD expired on 7/6/2007.
It was bought to my attention when our users were unable to encrypt and
decrypt their files. Therefore, when I logon as a domain admin or user I
cannot encrypt on any computer on the domain.
The error I get is:
"Recovery policy configured for this system contains invalid recovery
certificate"
I go to the W2k3 server and go to Certmgr.msc. Attempt to request for the
certificate from Certificates>Personal folder but it indicates I need a
Certificate Authority. When I attempt to renew it indicates it does not
contain enough information to renew.
Furthermore, all my users who have encrypted their files prior to the
certificate expiring cannot save or open any of their documents in the
encrypted folder. However, I did backup the PFX that is specific to their
profile so I hope I can recover.
One other thing is one of my admin deleted the (Recovery Agent. Looks like
a certificate? )from the Default Domain Policy in Public Key
Policy>Encrypting File System. It is .CER file which I cannot re-create. I
hope this does not affect my recovery?
Question:
1. With that said. My short term goal here is to have update the
certificate so our users can encrypt. Or be able to encrypt without
encounter the error above.
2. Will deleting the recovery agent from the policy affect me. How do I
recreate a new recovery agent? Does it have to be on the server where my AD
is residing?
3. What is the proper way to setup EFS? I have a feeling my way is the
long way. So I keep a certificate for every laptop the users encrypts their
My Document folder. I want only one master key to recover the encrypted file.
Any help would be greatly appreciated by this newbie.
Environment: W2k3 running AD not running Certificate Authority (CA)
Clients: Windows XP
The certificates I have on my W2k3 which is running AD expired on 7/6/2007.
It was bought to my attention when our users were unable to encrypt and
decrypt their files. Therefore, when I logon as a domain admin or user I
cannot encrypt on any computer on the domain.
The error I get is:
"Recovery policy configured for this system contains invalid recovery
certificate"
I go to the W2k3 server and go to Certmgr.msc. Attempt to request for the
certificate from Certificates>Personal folder but it indicates I need a
Certificate Authority. When I attempt to renew it indicates it does not
contain enough information to renew.
Furthermore, all my users who have encrypted their files prior to the
certificate expiring cannot save or open any of their documents in the
encrypted folder. However, I did backup the PFX that is specific to their
profile so I hope I can recover.
One other thing is one of my admin deleted the (Recovery Agent. Looks like
a certificate? )from the Default Domain Policy in Public Key
Policy>Encrypting File System. It is .CER file which I cannot re-create. I
hope this does not affect my recovery?
Question:
1. With that said. My short term goal here is to have update the
certificate so our users can encrypt. Or be able to encrypt without
encounter the error above.
2. Will deleting the recovery agent from the policy affect me. How do I
recreate a new recovery agent? Does it have to be on the server where my AD
is residing?
3. What is the proper way to setup EFS? I have a feeling my way is the
long way. So I keep a certificate for every laptop the users encrypts their
My Document folder. I want only one master key to recover the encrypted file.
Any help would be greatly appreciated by this newbie.