Solved

EFS certificates after removing CA from Active Directory

Posted on 2010-11-19
5
1,343 Views
Last Modified: 2012-05-10
we have about half dozen EFS certificates issued to users.
We would like to decomission the existing CA (and leave the server in place http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_26626321.html ).

We don't mind changing the name of the root CA, we just are concerned of loosing the ability to reover any files encrypted by people on leave... if we uninstall the 2003 CA from the server and install a new CA root on 2008 R2.

SOme of the certificates expire in 1 year... We might not be able to locate all the encrypted files at this point in time

Will backing up the private key be enough to access encrypted files even after the CA is removed ? How does one go about recovering those files in that case ?

Can you provide a brief procedure to follow if we are happy to get rid of the old CA?  is it a matter of:
1)backup existing CA key
2)uninstall CA from 2003
3) install new CA on 2008 R2

THanks for you help.
0
Comment
Question by:rov17
  • 2
  • 2
5 Comments
 
LVL 10

Expert Comment

by:moon_blue69
ID: 34177282
Hi

See if this article helps

Cheers
0
 
LVL 5

Author Comment

by:rov17
ID: 34177776

Hi moon_blue69,

which article ?

 
0
 
LVL 10

Expert Comment

by:moon_blue69
ID: 34177822
0
 
LVL 5

Author Comment

by:rov17
ID: 34178354
thanks moon_blue69  but it doesn't. Have come accross it but it does not address the questions that I posted and i can not remove the existing server.
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
ID: 34200917
For recovering EFS encrypted files, you should be using an EFS Data Recovery Agent (DRA) certificate - preferably issued to a dedicated tightly controlled admin account.  You can issue the DRA cert either from the CA (new or old) or from command line 'cipher /r NAME' which will create a .cer and .pfx file - the .pfx has the private key so keep that on a locked up flash drive.  The .cer you should deploy via GPO and then all domain members will automatically pick it up.  Note that if users don't touch the files already encrypted then it doesn't matter, so it is a good idea to run 'cipher /u' as a logon script for users that have EFS certs - this will update those files to include the DRA cert.

The process should be similar to:
http://blogs.technet.com/askds/archive/2008/01/07/replacing-an-expired-dra-certificate.aspx
(only creating instead of replacing)

Also, after the new CA is up and running and set up for EFS you can force re-enrollment from certtmpl.msc - locate template - right click - reenroll all certificate holders. I forget offhand if it happens automatically or if it requires logoff/logon, or reboot - may need to wait for up to 15 mins for AD replication as well.  If you have a lot of EFS users try a smaller test group first to work out any potential kinks.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
In 2017, ransomware will become so virulent and widespread that if you aren’t a victim yourself, you will know someone who is.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now