Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

EFS certificates after removing CA from Active Directory

Posted on 2010-11-19
5
Medium Priority
?
1,392 Views
Last Modified: 2012-05-10
we have about half dozen EFS certificates issued to users.
We would like to decomission the existing CA (and leave the server in place http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_26626321.html ).

We don't mind changing the name of the root CA, we just are concerned of loosing the ability to reover any files encrypted by people on leave... if we uninstall the 2003 CA from the server and install a new CA root on 2008 R2.

SOme of the certificates expire in 1 year... We might not be able to locate all the encrypted files at this point in time

Will backing up the private key be enough to access encrypted files even after the CA is removed ? How does one go about recovering those files in that case ?

Can you provide a brief procedure to follow if we are happy to get rid of the old CA?  is it a matter of:
1)backup existing CA key
2)uninstall CA from 2003
3) install new CA on 2008 R2

THanks for you help.
0
Comment
Question by:rov17
  • 2
  • 2
5 Comments
 
LVL 10

Expert Comment

by:moon_blue69
ID: 34177282
Hi

See if this article helps

Cheers
0
 
LVL 5

Author Comment

by:rov17
ID: 34177776

Hi moon_blue69,

which article ?

 
0
 
LVL 10

Expert Comment

by:moon_blue69
ID: 34177822
0
 
LVL 5

Author Comment

by:rov17
ID: 34178354
thanks moon_blue69  but it doesn't. Have come accross it but it does not address the questions that I posted and i can not remove the existing server.
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 2000 total points
ID: 34200917
For recovering EFS encrypted files, you should be using an EFS Data Recovery Agent (DRA) certificate - preferably issued to a dedicated tightly controlled admin account.  You can issue the DRA cert either from the CA (new or old) or from command line 'cipher /r NAME' which will create a .cer and .pfx file - the .pfx has the private key so keep that on a locked up flash drive.  The .cer you should deploy via GPO and then all domain members will automatically pick it up.  Note that if users don't touch the files already encrypted then it doesn't matter, so it is a good idea to run 'cipher /u' as a logon script for users that have EFS certs - this will update those files to include the DRA cert.

The process should be similar to:
http://blogs.technet.com/askds/archive/2008/01/07/replacing-an-expired-dra-certificate.aspx
(only creating instead of replacing)

Also, after the new CA is up and running and set up for EFS you can force re-enrollment from certtmpl.msc - locate template - right click - reenroll all certificate holders. I forget offhand if it happens automatically or if it requires logoff/logon, or reboot - may need to wait for up to 15 mins for AD replication as well.  If you have a lot of EFS users try a smaller test group first to work out any potential kinks.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The well known Cerber ransomware continues to spread this summer through spear phishing email campaigns targeting enterprises. Learn how it easily bypasses traditional defenses - and what you can do to protect your data.
When you put your credit card number into a website for an online transaction, surely you know to look for signs of a secure website such as the padlock icon in the web browser or the green address bar.  This is one way to protect yourself from oth…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question