Create New Recovery Agent Without Domain CA

[chad]

I changed the name of the default domain administrator
account for our win2k domain from say adminA to adminB.
Though the new name is adminB, the name of the EFS
recovery agent is still at adminA. We do not have an
enterprise CA installed. I tried to add the adminB
account as a recovery agent, but got an error saying the
keys were not available. Could anyone explain how to
change the recovery agent on a domain without an
enterprise CA installed?

 

[Steven L Umbach]

I would just go ahead and install an Enterprise CA. It takes about twenty
minutes to do. I don't know of a reliable way to do it otherwise. The link
below explains how to do it for a non domain computer if you want to give it
a shot on a domain controller logged on as the domain administrator.
Otherwise Drew from Microsoft will probably weigh in on ths question .---
Steve

http://support.microsoft.com/?kbid=257705
http://www.microsoft.com/windows2000/techinfo/planning/security/casetupsteps.asp

 

[Drew Cooper [MSFT]]

Hi! I'm Drew from Microsoft.

If you have an XP Pro or Server 2003 machine somewhere, the easiest way to
generate a new RA keypair is with "cipher /r". I don't think we backported
that to Win2k.

The next easiest way is in the KB article Steven linked to.

If that's not an option, it's time to talk to a CA. Even twenty minutes is
about 15 minutes longer than either of the two options above. And there's
minimal value at best in requesting the RA keypair from a CA.