How to add EFS data recovery agents on Windows 2000 workgroup server

[Klaus]

Looking for information to add a 2nd EFS recovery agent
(non-administrator account) to a Windows 2000 standalone server.

Having troubles creating a valid .cer file in Windows 2000, that is
required when running the W2K recovery agent wizard via MMC Local
group policy interface (local computer policy > windows settings >
security settings > public key policies > encrypted data recovery
agent).

Is there an equivalant "cipher /r" (used in windows 2003) command that
I can use in Windows 2000 to create a .cer file ?

Using the MMC Certificate snapin (certificate - current user >
personal > certificates)to export a certificate to a .cer file, while
logged into server with account to be used for 2nd recovery agent
user, did not produce a .cer file that was accepted.

 

[Steven L Umbach]

I know you can replace the existing RA, bit I don't think you can add
another one without a Certificate Authority which is why you are having the
difficulty you are. W2K server has the capabilty to become a CA in
add/remove windows components. You might try adding another one as described
in how to replace an existing one in the KB link but I would be very careful
and use efsinfo to view the results. --- Steve

http://support.microsoft.com/?kbid=257705
http://support.microsoft.com/default.aspx?scid=kb;en-us;243026 --- efsinfo.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316 --- anyone
using EFS should read this.

 

[Drew Cooper [MSFT]]

You can add an RA.

The RA cert can be issued by a CA or you can user "cipher /r" on any XP or
Server 2003 machine, then put it into your Win2k AD (being careful to put
the generated .pfx someplace safe, of course).

 

[Jim Nugent]

This article may be of some help. http://support.microsoft.com/?id=257705. I
did this some time ago, but I just checked and I have two of them so I don't
think you have to delete one before adding the other. I don't know if it
will work with a non-administrator though.

 

[Klaus]

Steve, sorry to respond late (I was away for a while). I tried to
re-register the RA using http://support.microsoft.com/?kbid=257705 but
it did not work for me as outlined.

Had no problem with the following the instructions but after I
completed all the steps and logged on with new recovery agent I
noticed that I no longer could encrypt files (got message "there is no
valid encryption recovery policy configured for this system).

When I checked the server's local security settings, there was no
Recovery Agent defind under folders Public Key Policies > Encrypted
File System

I even tried to logon with the original RA (administrator) to see if
this would recreate the original recovery agent but no luck either.

Any quick idea or should I lean with going with Windows 2003, which
seems to have more EFS options/flexibility ?

 

[Steven L Umbach]

I have tried using that procedure and had to reboot before the new RA woud
work and you may need to follow the instuctions on deleteing the current RA
from the Local Security Policy. My experience with using regsvr32
sclgntfy.dll to regenerate a Recovery Agent in W2K is that it will only work
on the built in administrator account even if you logon as a different user
to try it. I found if I first export the original RA certificate and private
key to a .pfx file first [selecting delete private key during export] and
then delete the certificate from the personal certificate store, I can then
generate the new RA for administrator and it is automatically added to Local
Security Policy as RA [reboot may be needed]. Then I could go back and
import the original certificate/private key from the .pfx file. After that I
could export the certificate only to a .cer file and also add it to the
Local Security Policy as an RA via "add" and select folder where the
certificate was exported to. Then there would be two RA certificates, but
both for the built in administrator account.

Personally I would rather install the Certificate Authority on your server
and use it to generate RA certificates as it is really not hard to do or
experimenting with a RA certificate generated on an XP Pro box using the
cipher /r command as Drew Cooper suggested. --- Steve