Dear Experts,
I am trying to create an encrypted folder on our server that will be accessible to only a few users. When I tried to encrypt it, I got the "EFS recovery policy contains invalid recovery certificate" error, so I started to follow the instructions how to export then import the EFS private certificate. Now I am getting an error that says "Windows cannot determine if this certificate has been revoked......" error. If I go ahead and install this certificate anyway, the Recovery agents gets labeled UNKNOWN_USER.
The server I am trying to install the recovery agent is not the domain controller, so I exported the EFS certificate from the domain controller, then moved it to this file server. I am not sure if this is the correct method. Also, the certificate I exported had the expiration date that is in the past, so I am very confused.
Please advise.
You can also use efsinfo to view thumbprints to help match up the certificates that are RA. You need to have
a RA export their recovery certificate and private key to a .pfx file.
http://support.microsoft.com/kb/243026
By default, the Administrator account has this certificate and is configured as the data recovery agent. If you are running your computers in a Windows domain, then the default Recovery Agent will be the Administrator account on the first domain controller you installed in your Windows domain. Kindly also see the best practices
http://support.microsoft.com/KB/223316