seanlabrie
asked on
Having trouble Configuring EFS / Domain Account for Recovery Agent
Ladies and Gents,
I've recently tried to setup and Test EFS in test environement. I've got a couple questions that I've been unable to find answers to. I've seen a lot of links to aritcles that people have reccomended reading but I'm still missing the boat at this point. For my Test environment I've got two PCs XP sp3 and a Server Running 2003 R2 sp2. The server is a domain controller. Its got certificate services installed as an enterprise root CA. (second question about the best way to setup a CA later). I've got a domain controller cert installed on the DC, I've got computer certs installed on the PCs.
How do I create a recovery agent for the domain so that this one account and only this one account can recover data (I don't want to domain admin to be able to recover data, just the 1 recovery agent account) In group policy when I try to Add a Recovery Agent I get an error to the tune of "The selected user has no certificates suitable for Encrypted File System recovery adn cannot be added as a recovery Agent. Select another user."
The End goal is to create file shares on the server that can be made available offline and that are also encrypted with EFS, some shares will need to be accessed by all domain users, Other shares will need to access only by certain groups, and finally the profiles of users on thier desktops should also be encrypted. I want the domain wide recovery agent to be able to recovery these files in the event that we need to do a forced password reset or we lose the user's password, etc.
My Last questions is concerning the best more secure way to setup the CA structure. Should my DC be a enterprise Root CA, or should I create a Stand alone workgroup server to act as a root CA that can be turned off and put into a closet. And use that Root Ca to issue a Certificate to my DCs which can then issue EFS, Computer, User certificates and so forth.
Thanks for the Tips and info eveyone,
-Sean
I've recently tried to setup and Test EFS in test environement. I've got a couple questions that I've been unable to find answers to. I've seen a lot of links to aritcles that people have reccomended reading but I'm still missing the boat at this point. For my Test environment I've got two PCs XP sp3 and a Server Running 2003 R2 sp2. The server is a domain controller. Its got certificate services installed as an enterprise root CA. (second question about the best way to setup a CA later). I've got a domain controller cert installed on the DC, I've got computer certs installed on the PCs.
How do I create a recovery agent for the domain so that this one account and only this one account can recover data (I don't want to domain admin to be able to recover data, just the 1 recovery agent account) In group policy when I try to Add a Recovery Agent I get an error to the tune of "The selected user has no certificates suitable for Encrypted File System recovery adn cannot be added as a recovery Agent. Select another user."
The End goal is to create file shares on the server that can be made available offline and that are also encrypted with EFS, some shares will need to be accessed by all domain users, Other shares will need to access only by certain groups, and finally the profiles of users on thier desktops should also be encrypted. I want the domain wide recovery agent to be able to recovery these files in the event that we need to do a forced password reset or we lose the user's password, etc.
My Last questions is concerning the best more secure way to setup the CA structure. Should my DC be a enterprise Root CA, or should I create a Stand alone workgroup server to act as a root CA that can be turned off and put into a closet. And use that Root Ca to issue a Certificate to my DCs which can then issue EFS, Computer, User certificates and so forth.
Thanks for the Tips and info eveyone,
-Sean
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
"Re: EFS:
In the Certificate Templates MMC, locate the EFS Recovery Agent template and assign Enroll permissions to the desired user account, and only them. Others may have the Read permission, etc., but Enroll should be restricted.
In the Certificate Authority MMC, right-click/Publish the Certificate Templates folder and publish the EFS Recovery Agent template.
Log in as the user (or Run As for iexplore.exe) to issue the certificate by going to http://server/certsrv and choose the first option on each page, then select the EFS template from the dropdown. You can then use this cert in GPO."
I can't right-click/Publish from the Certifcate Templates folder within the Certificate Authority MMC, there is no option to do that.
Also I can't get to http://server/certsrv, the page cannot be found. it also does not appear to be withing IIS.
Thanks,
In the Certificate Templates MMC, locate the EFS Recovery Agent template and assign Enroll permissions to the desired user account, and only them. Others may have the Read permission, etc., but Enroll should be restricted.
In the Certificate Authority MMC, right-click/Publish the Certificate Templates folder and publish the EFS Recovery Agent template.
Log in as the user (or Run As for iexplore.exe) to issue the certificate by going to http://server/certsrv and choose the first option on each page, then select the EFS template from the dropdown. You can then use this cert in GPO."
I can't right-click/Publish from the Certifcate Templates folder within the Certificate Authority MMC, there is no option to do that.
Also I can't get to http://server/certsrv, the page cannot be found. it also does not appear to be withing IIS.
Thanks,
Was your CA set up as an Enterprise CA or a Stand-Alone CA? That might explain the publish issues. For certsrv to not show up in IIS.... that's strange. Normally during installation it prompts you if you do not have IIS with the needed componants installed. I assume that you are pointing 'server' to the servername of the CA. If it isn't showing up in IIS on the CA box, I would seriously consider reinstalling the CA if you don't have too many certificates issued already. The only time this would be normal is if you had removed it after installing the CA - techinically it is not necessary for operation, but it is handy. In our environment we moved it to a seperate web server to gain an additional level of obfuscation between the users and the CA, but this is not typical by any means - we run a few pretty high end PKI environments here and do things a little more heavy duty than most companies require.
You can still manage the CA manually with out certsrv, using the certreq and certutil utiltiies.
certreq -submit -attrib certificatetemplate:%templ
You can still manage the CA manually with out certsrv, using the certreq and certutil utiltiies.
certreq -submit -attrib certificatetemplate:%templ
I'm just checking in on old posts today... Are you still having this issue? If so, please let me know so I can help some more, if not, please close accordingly..
ASKER
Some Follow ups:
1) on a 2 tier CA infrastructure you have to use Enterprise Edition of Windows for a CA to be a Enterprise Subordinate CA? If you don't have Enterprise Edition of windows, what are your options?
2) Am I right to assume that all Certificates that have been setup within a GPO are deployed out to each PC? Once the Recovery Agent's Cert is in a GPO, all PCs effected by that GPO will have everything necessary for a recovery if needed? (Meaning if a users quits and changes their password and I have to reset their password or disable their account can I log in as the recovery agent and then take ownership of their files or will i need to import a cert first, etc. Also if the Recovery Agent is no an admin, can I still use a domain admin account to give ownership of a set of files to the recovery agent even though the admin account can no open those file because they are encrypted)
3) I'm considering Running the CAs Both the offline root and the Enterprise Subordinate as VMs within virtual Server 2005. From what I gather above, I'd want to have the ES (Enterprise Subordinate) with two NICs, one connected to the production network and 1 connected to a virtual network and the Offline root will only have 1 NIC connect to just the virtual network right?
4) Thanks for the info for the eternally published CRL, but I don't think I'll be using that, as for the normal CRL from the offline root, that should be located on a file server somewhere or do i locate it on the root ca itself, Also if it's moved to a file server, where to I configure the clients so they look back to that new location?
Thanks again for the help, Sorry for the 20 questions game, I'm pretty new to using the CA infrastructure and I'm going to need to be doing a lot of work with it soon so I'm really trying to get a grasp on how to setup this up correctly, I appreciate you help.