Using a domain EFS Recovery Agent
I have created (I think!) a recovery agent under the EFS policy on our Windows Server 2003 SBS server, but I am missing one small detail. The policy is created, the certificate is created and I have assigned Recovery Agent rights to a newly created 'EFS Admin' user (domain admin rights). Users of the domain are allowed to create EFS folders, but when I show the details for the encrypted files the Recovery Agent Name field is blank, meaning that I don't have a workable recovery policy. I would expect the name EFS Admin to show up in this section, meaning that this user can also recover EFS protected documents (etc). Any ideas guys?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Paranormastic
Also, since I've seen this a few times, make sure you are deploying the cert file (.crt or .cer) and not the .pfx file which has the private key. If you did, honestly I would just revoke that one and start with a new one since you just populated the private key everywhere, or just delete it and create a new one with cipher /r. CA cert for the DRA is preferred.
ASKER
Let me answer these in point form, just for clarity:
EFS is enabled for all users.
EFS section of my Default Domain Security Setting does indeed show the DRA cert.
DRA cert was issued from the CA (it also shows up in 'issued certificates', how do I ensure the root CA cert is trusted?
The certificate was made by right clicking the EFS 'folder' in the default domain security settings and using the add/create data recovery agent.
Thanks!
EFS is enabled for all users.
EFS section of my Default Domain Security Setting does indeed show the DRA cert.
DRA cert was issued from the CA (it also shows up in 'issued certificates', how do I ensure the root CA cert is trusted?
The certificate was made by right clicking the EFS 'folder' in the default domain security settings and using the add/create data recovery agent.
Thanks!
ASKER
One more thing, on one test PC when I look at the details for a file in an EFS area it now shows the correct data recovery agent, which is nice. Problem is though that when I logon to the PC as the DRA and attempt to open the file in the EFS area I get access is denied. Should I (as the DRA) be able to open these files, or is there a recovery process which I'm missing?
To make sure the root CA cert is trusted, open MMC - Certificates snapin - add twice, once for user and once for local computer. Check local computer first, but could have ended up in either (or both which is fine), look in the Trusted Root Certification Authorities store - expand that and select Certificates, then scroll through the list in the details pane. If it is in the user but not computer area, you can click-n-drag it down to that area in the computer context so it is available to all users - however that would just be for that box. If not in computer context then you need to check the domain GPO settings:
computer config - windows settings - security settings - public key policies/trusted root certification authorities
computer config - windows settings - security settings - public key policies/trusted root certification authorities
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for your response, I have been off sick so have only just seen it! I'll give it a try today.
Everything turn out okay here, or still working on it?
ASKER
Firts day back, so I'll check into it today! Thanks.
Any updates?