Re: Data Recovery Agent exspired in Windows 2003 AD

I know this works for W2003 but not sure on W2K but you could try running
the command certutil -cainfo on it to find out details as shown in the
example below for CA type.

E:\Documents and Settings\Administrator>certutil -casino
Exit module count: 1
CA name: MP3
Sanitized CA short name (DS name): MP3
CA type: 0 -- Enterprise Root CA
UNUM_ENTERPRISE_ROTA -- 0

The book you bought is outstanding and should get you well on your way to
setting up your new CA. Keep in mind that if you install your enterprise CA
on Windows 2003 Enterprise instead of Windows Standard you will have many
more options to manage your PKI such as configurable version 2 certificate
templates, the ability to have autoenrollment for user certificates, and be
able to archive private keys used for encryption such as those used for EFS.
Having said that you will do fine implementing EFS if you have to use
Windows 2003 Standard as users still will automatically get EFS certificates
from the CA assuming everything is configured correctly. Until you get the
book the links below may help. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316
http://www.microsoft.com/windowsserver2003/technologies/pki/default.mspx
http://technet2.microsoft.com/WindowsServer/en/Library/d2ff1315-1712-48e4-acdc-8cae1b593eb11033.mspx?mfr=true
--- see designing a public key infrastructure
http://www.microsoft.com/technet/prodtechnol/winxppro/support/dataprot.mspx
http://www.microsoft.com/technet/security/topics/cryptographyetc/efs.mspx

"Bendji" <Bendji@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:F6938146-A531-4179-8087-AF15E1C3208F@xxxxxxxxxxxxxxxx
Hi Steven,

Thanks for the answer and suggestions.

To be honoust, I havn't figured out where I can see if the CA is an
enterprise CA for the domain. It's and old CA running windows 2000. It's a
member of the domain, but thats about all I know about it.

To be honoust im playing with the thought, to remove from AD and install a
new windows 2003 Enterprise CA and design it correct (If I can figure out
how
to do that *Grins*)

I've just ordered "Microsoft® Windows ServerT 2003 PKI and Certificate
Security " by Brian Komar, since my understanding of PKI is only basic and
I
need a bit more.

Thats also the reason why im a in doubt, with the present situation. But I
would very much like a real EFS design with recovery agents etc.

So If you have a link to some good guides I would very much appreciate it.

Yours Sincerely,
Benjamin

"Steven L Umbach" wrote:

Is your CA an enterprise CA?? If it is you should be able to logon to a
known secure domain computer as a domain administrator and request a new
Recovery Agent Certificate via the mmc snapin for certificates for user
and
then going to the personal/certificates folder, right click, select all
tasks - request certificate. If that works you can export the RA
certificate
[not including private key] to a .cer file and then import that into your
Group Policy PKI setting for EFS. Also you would then want to export the
RA
certificate and private key to a password protected .pfx file in offline
media and store in a couple very secure places and you may want to delete
it
from the computer you generated it on. --- Steve


"Bendji" <Bendji@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:DF31AAE2-B91C-40DB-B867-D16E0D771EEB@xxxxxxxxxxxxxxxx
Greetings all,

Thanks for a great forum with alot of knowledge. Hope I one day have
the
time to search it through and read all the interesting articles

But back to the topic. I've recently got the task to figure out a way
to
encrypt the companys data on laptops. My first thought was to wait on
Vista
with BitLocker, but thats to far away in the horisont.

So I desided to use the build in EFS in windows.
I tried to rightclick on a folde and select advance and then encrypt
but
did
receive the following error:

An error...Recovery policy configured for this system contains invalid
recovery certificate.

I did enter the rsop.msc on the client and looked under "Conputer
configuration"-->"Windows settings"-->"Public Key
Policies"-->"Encrypting
File System", and here I find an old default certificat, which is no
longer
valid. It's issude to "Administrator" and byt the "administrator", so
its
proberly the default one from when the AD was created.

If I enter Active Directory Users and Computers and enter the "default
domain policy" and looks under the above "road" I can see thats it's
here
the
certificate gets distributed.

Now my problem is that I want people to be able to encrypt files again
using
EFS, but I also want us "the company/administrators" to be able to
decrypt
the files if an empleey leaves. Any suggestoins on how I create/renew
the
setup?

The network consists of 3 AD servers running windows 2003. We also have
an
old CA running windows 2000 which is a member of the domain (but no
real
PKI
atm).

Is there and easy way to make 2 recovery agenst and distributed them in
AD,
so the users can encrypt files? And that the administrators can recover
encryptes files if a profile is lost etc.

Thanks in advance for any reply's or links to place's where I can find
any
knowledge about this topic.

I've looked a bit on the following, which explains abit about it,
except
the
default administator certificate which is exspired in a domain.
http://www.atlguide2000.com/windowsxp/index.php?act=view&aid=114

Btw any suggestions on a good Windows Certificate book, would be
appreciated. One there tell the basis and then how to make a fully use
in
an
Windows 2003 environment with Exchange 2003 and ISA 2004. Alwayes nice
to
have something to read in the sparetime

Yours Sincerely,
Benjamin





.

Relevant Pages

  • RE: updates after format
    ... if the Microsoft Server is down. ... software you are installing has not passed Windows Logo testing verify its ... When you try to download an ActiveX control, install an update to Windows ... and you do not have the appropriate certificate in your Trusted Publishers ...
    (microsoft.public.windows.mediacenter)
  • Re: Need help configuring Wireless Connection profile
    ... and I can only use the intel OR windows utility, not both at the same time. ... Windows authentication for all users,4129,LRG\ryanv,4149,Wireless WPA2 ... SMALL BUSINESS SERVER: ... STEP #1 Install Certificate Services ...
    (microsoft.public.windowsxp.general)
  • Re: Data Recovery Agent exspired in Windows 2003 AD
    ... It's and old CA running windows 2000. ... would very much like a real EFS design with recovery agents etc. ... tasks - request certificate. ... Now my problem is that I want people to be able to encrypt files again ...
    (microsoft.public.windows.server.security)
  • Re: Windows Update repeats
    ... You cannot install some updates or programs ... to a Windows component, install a service pack for Windows or for a Windows ... The Microsoft digital signature affirms that software has been tested with ... Publishers certificate store. ...
    (microsoft.public.windowsupdate)
  • Re: sfc /scannow wont run
    ... or upgrade installs but I definitely know retail versions do. ... If you have Windows XP Pro installed then do not purchase a Windows XP Home ... This behavior can occur if the certificate for VeriSign time stamping ...
    (microsoft.public.windowsxp.help_and_support)