Domain EFS Recovery Agent

[Charles Blair]

I have the unfortunate priveledge to be placed in a situation where the
first DC within a domain has been removed before the EFS recovery agent
certificate was exported.

There are no backups of the original DC.

Fortunately, EFS was not used in the domain, so there is not data loss, but
I do want to get the domain EFS recovery agent working again.

The only lead I have found is in the following link and I just want to
validate if the procedure will work in a Windows 2003 domain.

http://groups.google.com/group/microsoft.public.win2000.security/browse_thre
ad/thread/3b0de0ea8c694253/bc975e764e0fbc04?lnk=st&q=Reinitialize+the+EDRP&r
num=1&hl=en#bc975e764e0fbc04

TIA

Charles

 

[Brian Komar [MVP]]

I have the unfortunate priveledge to be placed in a situation where the
first DC within a domain has been removed before the EFS recovery agent
certificate was exported.

There are no backups of the original DC.

Fortunately, EFS was not used in the domain, so there is not data loss, but
I do want to get the domain EFS recovery agent working again.

The only lead I have found is in the following link and I just want to
validate if the procedure will work in a Windows 2003 domain.

http://groups.google.com/group/microsoft.public.win2000.security/browse_thre
ad/thread/3b0de0ea8c694253/bc975e764e0fbc04?lnk=st&q=Reinitialize+the+EDRP&r
num=1&hl=en#bc975e764e0fbc04

TIA

Charles

You can simply run cipher /R:filename at a Windows XP or Windows Server
2003 computer, and then import the filename.CER file into the EFS
Recovery Agent GPO, and protect the filename.pfx file for any recovery
attempts.

Alternatively, deploy a PKI and request an EFS REcovery Agent
certificate. Again, import the certificate into the EFS Recovery Agent
GPO (at the domain is best), and then export the certificate as a PKCS#
12 file (.pfx) and protect it

Brian

 

[Charles Blair]

Worked great!!!

Thanks for the help Brian

Charles