Expired Certificate on W2k3 affecting Encrypting and Recovery Poli

[Guest Eager Learner]

BACKGROUND:

 

Environment: W2k3 running AD not running Certificate Authority (CA)

Clients: Windows XP

 

The certificates I have on my W2k3 which is running AD expired on 7/6/2007.

It was bought to my attention when our users were unable to encrypt and

decrypt their files. Therefore, when I logon as a domain admin or user I

cannot encrypt on any computer on the domain.

 

The error I get is:

 

"Recovery policy configured for this system contains invalid recovery

certificate"

 

I go to the W2k3 server and go to Certmgr.msc. Attempt to request for the

certificate from Certificates>Personal folder but it indicates I need a

Certificate Authority. When I attempt to renew it indicates it does not

contain enough information to renew.

 

Furthermore, all my users who have encrypted their files prior to the

certificate expiring cannot save or open any of their documents in the

encrypted folder. However, I did backup the PFX that is specific to their

profile so I hope I can recover.

 

One other thing is one of my admin deleted the (Recovery Agent. Looks like

a certificate? )from the Default Domain Policy in Public Key

Policy>Encrypting File System. It is .CER file which I cannot re-create. I

hope this does not affect my recovery?

 

Question:

 

1. With that said. My short term goal here is to have update the

certificate so our users can encrypt. Or be able to encrypt without

encounter the error above.

 

2. Will deleting the recovery agent from the policy affect me. How do I

recreate a new recovery agent? Does it have to be on the server where my AD

is residing?

 

3. What is the proper way to setup EFS? I have a feeling my way is the

long way. So I keep a certificate for every laptop the users encrypts their

My Document folder. I want only one master key to recover the encrypted file.

 

Any help would be greatly appreciated by this newbie.

[Guest Dragos CAMARA]

RE: Expired Certificate on W2k3 affecting Encrypting and Recovery Poli

 

hi,

it seems you dont have a CA on your domain. here is a link with what you

have to do :

http://support.microsoft.com/kb/937536

 

if the recovery agent it was deleted for sure it will affect you.

 

it' better to have a CA instaled on your domain

--

Dragos CAMARA

MCSA Windows 2003 server

 

 

"Eager Learner" wrote:

> BACKGROUND:

>

> Environment: W2k3 running AD not running Certificate Authority (CA)

> Clients: Windows XP

>

> The certificates I have on my W2k3 which is running AD expired on 7/6/2007.

> It was bought to my attention when our users were unable to encrypt and

> decrypt their files. Therefore, when I logon as a domain admin or user I

> cannot encrypt on any computer on the domain.

>

> The error I get is:

>

> "Recovery policy configured for this system contains invalid recovery

> certificate"

>

> I go to the W2k3 server and go to Certmgr.msc. Attempt to request for the

> certificate from Certificates>Personal folder but it indicates I need a

> Certificate Authority. When I attempt to renew it indicates it does not

> contain enough information to renew.

>

> Furthermore, all my users who have encrypted their files prior to the

> certificate expiring cannot save or open any of their documents in the

> encrypted folder. However, I did backup the PFX that is specific to their

> profile so I hope I can recover.

>

> One other thing is one of my admin deleted the (Recovery Agent. Looks like

> a certificate? )from the Default Domain Policy in Public Key

> Policy>Encrypting File System. It is .CER file which I cannot re-create. I

> hope this does not affect my recovery?

>

> Question:

>

> 1. With that said. My short term goal here is to have update the

> certificate so our users can encrypt. Or be able to encrypt without

> encounter the error above.

>

> 2. Will deleting the recovery agent from the policy affect me. How do I

> recreate a new recovery agent? Does it have to be on the server where my AD

> is residing?

>

> 3. What is the proper way to setup EFS? I have a feeling my way is the

> long way. So I keep a certificate for every laptop the users encrypts their

> My Document folder. I want only one master key to recover the encrypted file.

>

> Any help would be greatly appreciated by this newbie.

>