Re: Domain EFS Recovery Agent

From: Brian Komar [MVP] (bkomar_at_nospam.identit.ca)
Date: 09/21/05

Next message: Steven L Umbach: "Re: Secure File Transfers"
Previous message: Charles Blair: "Domain EFS Recovery Agent"
In reply to: Charles Blair: "Domain EFS Recovery Agent"
Next in thread: Charles Blair: "Re: Domain EFS Recovery Agent"
Reply: Charles Blair: "Re: Domain EFS Recovery Agent"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 20 Sep 2005 18:16:58 -0500

In article <uBBZxRjvFHA.3932@TK2MSFTNGP15.phx.gbl>,
charles_blair@hotmail.com says...
> I have the unfortunate priveledge to be placed in a situation where the
> first DC within a domain has been removed before the EFS recovery agent
> certificate was exported.
>
> There are no backups of the original DC.
>
> Fortunately, EFS was not used in the domain, so there is not data loss, but
> I do want to get the domain EFS recovery agent working again.
>
> The only lead I have found is in the following link and I just want to
> validate if the procedure will work in a Windows 2003 domain.
>
> http://groups.google.com/group/microsoft.public.win2000.security/browse_thre
> ad/thread/3b0de0ea8c694253/bc975e764e0fbc04?lnk=st&q=Reinitialize+the+EDRP&r
> num=1&hl=en#bc975e764e0fbc04
>
> TIA
>
> Charles
>
>
>
You can simply run cipher /R:filename at a Windows XP or Windows Server
2003 computer, and then import the filename.CER file into the EFS
Recovery Agent GPO, and protect the filename.pfx file for any recovery
attempts.

Alternatively, deploy a PKI and request an EFS REcovery Agent
certificate. Again, import the certificate into the EFS Recovery Agent
GPO (at the domain is best), and then export the certificate as a PKCS#
12 file (.pfx) and protect it

Brian

Next message: Steven L Umbach: "Re: Secure File Transfers"
Previous message: Charles Blair: "Domain EFS Recovery Agent"
In reply to: Charles Blair: "Domain EFS Recovery Agent"
Next in thread: Charles Blair: "Re: Domain EFS Recovery Agent"
Reply: Charles Blair: "Re: Domain EFS Recovery Agent"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Domain EFS Recovery Agent
... Thanks for the help Brian ... Charles ... >> certificate was exported. ... >> I do want to get the domain EFS recovery agent working again. ...
(microsoft.public.win2000.security)
Re: problem with EFS Recovery agent
... Did you verify that the certificate you think is the EFS Recovery agent has the same thumbprint as the output states? ... > unable to recover file with this certificate... ...
(microsoft.public.security)
Re: problem with EFS Recovery agent
... i have deployed many certificates for my users and the efs recovery agnet ... of crypted data with my begening "efs recovery agent" certificate. ... unable to recover file with this certificate... ...
(microsoft.public.security)
Re: WSE 3.0 with Microsoft Certificate Services
... Once I get to the Advanced Certificate Request page, ... I do have a list of templates that ... EFS Recovery Agent ... Regardless of which template is selected, I do not get an option to select ...
(microsoft.public.dotnet.framework.webservices.enhancements)
EFS recovery agent
... Is it possible to create a new EFS recovery agent ... certificate on a W2K machine that is in an NT4 domain ... default for the machine administrator. ...
(microsoft.public.win2000.security)