Server 2003 R2 slow file browsing, lots of EFS errors

A month ago my server started having lots of Event ID: 6032  Source EFS errors. They flood the System log then stop for a little while.

The issue we noticed is that while those erros are happening the file browsing to the shares on the server is slow.

We only have 1 person that encrypts their files and they are running Vista using NTLMV2
There were no windows updates installed just before we started getting these errors, and no other changes have been made that I can think of.

I did upgrade the system memory from 2Gb to 3 GB because it was running at 1.7GB most of the time. It helped a little bit but those errors are still comming in everyday,

This server is also the main DC for the company.

Any help is appreciated.
Who is Participating?
BembiConnect With a Mentor CEOCommented:
Usually, you find the users or computers certificates unter personal.

Each certificate relies on a root certificate. You have to trust the root certificate. Have a look unter Certification path to find out, who has issued this certificate. The most common public issuers are within the trusted certificated folder by default.

The certificate you have found there may be a certificate, which the user has got via a signed or encrypted email. The message above means, that the issuer is not within the list of trusted root certificates or trusted issuers. As you can not see there, if the certificate is issued for encryption, I can not say if this is the certificate, which was used. Therefore I can not tell you, if moving this certificate will solve something. If you do not know the issuer, I don't think so, if you know it, it may be.

You may try to update first your root certificates:
Is it possible, that a service (like backup or whatever) tries to access the files, or just other users?

This may fails as only the user, who encrypted the files can decrypt them (besides the recovery agent).
pboustaniAuthor Commented:
The backup runs after 6PM the errors are happening during the day, way before the backup.

The files that this one user encrypts have been like this for months with no problems. The backup never had any problem backing up the data. It is still working now.
What ever generates these EFS errors causes the server to slow down.

I cant think of anything that might have changed recently

Any other possible solutions for the event ID above?

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Timed out certificates?

Can you see additional errors on the server?
Backup is not the only application, which accesses files (virus scanners, index service etc.).
Does this happen all the time, also the affected user is logged off?
pboustaniAuthor Commented:
The only other errors on the are
MrxSmb - Event ID 8003
The master browser has received a server announcement from the computer SERVER2 that believes that it is the master browser for the domain on transport NetBT_Tcpip_{73EA1AB4-6F45-4924-9865-D71E5AC842AF}. The master browser is stopping or an election is being forced.

DNS - Event ID 4015
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.

The efs errors did not occur over the weekend, only weekdays and there is no virus scan running . It is possible they occur only when the user is reading the files. I will keep an eye on it today when they connect.

Master browser messages seem to be normal. If the master browser service is not forces to be hosted on one single machine (i.e. a server), it can flow from one machine to another. If the actual hosting machine is logged off, the master browser needs to switch to another machine. This is a general lack of windows NetBIOS.  

Second error you should keep an eye on, if this is a temproraly error due to reebotts or whatever. Should not come up regularly. Have a look here for some reasons:

EFS errors: This would point me realy to a timed out certificate on the machine / user, which encrypted the files. Check the certificates for this machine / user, if they are valid. Ask your user, if he has problems accessing the files. Note, that you will run into some trouble, if a certificate times out, which is used to encrypt files. Only the recovery agent can then decrypt the files.
pboustaniAuthor Commented:
She never had any problem accessing her files. But there was one occasion when all her files seemed to be corrupt. Office, Acrobat and other programs could not open them, they kept saying Encoding error, and would not display properly.
I got this problem fixed by attaching all her documents into a new email in outlook and then close the email window without sending the 200MB attachment :). This seemed to have rescanned all the headers and I was able to open her files again.

Right now I am decrypting her files to see if the errors will stop. I never liked the MS Encryption thing. I am going to use a different encryption software which works much faster.
Yerk, this sounds like a certificate is renewed with a new key and the old certificate may be still part of Outlook and still valid?

You should decrypt all the documents as fast as you can to have an unencrypted copy.

MS works fine so far, but you have to take care of the key infrastructure. If a certificate invalidates, you may loose your date. This is common to all cert based encryption methods. The other method is just to use passwords or other keys, but maybe less safe. The default settings for certificates in MS may be very short (1-2 years) so you have to make sure, the time is long enough or you have an automatic renewal procedure (policies).  

The encryption / decryption performance depends from the key-length, so if the encryption / decryption is slow, it may have something to do with the used algorithm. If you have faster solution, you can use it of course but they maybe less save. So it depends a little bit from your security needs, what is usefull or not.
pboustaniAuthor Commented:
There are few certificates under Trusted people on the 2003 server, most are administrators and probably not used to encrypt the files. The one user that does encrypt the files has a certificate there as well the date is valid and it says
"This CA Root certificate is not trusted. Install it in the Trusted Root Certification Store"
Could that be the problem I am having.

To install it do I just need to copy the certificate to the above mentioned store? See image


pboustaniAuthor Commented:
I have successfully decrypted all the files and the efs errors have stopped.

The path under each users is just the users own name no other root certificate exists.

I did try moving them to Trusted root certificate folder but that did not stop the errors. It did take off that message that said
"This CA Root certificate is not trusted. Install it in the Trusted Root Certification Store"
but the errors still continued.

Anyways decrypting the files got rid of the errors and I dont have too much time to spend on this.

Thanks for you help, you get the points anyways.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.