Microsoft KB Archive/929103
Article ID: 929103
Article Last Modified on 1/19/2007
- Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
- Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
- Microsoft Windows Server 2003, Standard Edition (32-bit x86)
- Microsoft Windows Server 2003, Web Edition
- Microsoft Windows XP Professional
- Microsoft Windows XP Home Edition
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Professional Edition
You open the default domain policy and then try to renew the default recovery agent certificate in Microsoft Windows Server 2003, in Microsoft Windows XP, or in Microsoft Windows 2000. After you do this, you receive an error message that resembles the following:
To resolve this problem, follow these steps:
- Log on to a Microsoft Windows XP-based client computer or to a Microsoft Windows Server 2003-based client computer by using the user account under which you want the Encrypting File System (EFS) recovery agent to run.
- Use the Window Server 2003 or Windows XP version of the Cipher tool together with the /r switch to create a new self-signed file recovery certificate and private key. The Cipher tool will generate a new public file recovery certificate (.cer) and a .pfx file. Make copies of these files and save them to a safe location. To generate the new file recovery certificate, follow these steps:
- Click Start, click Run, type cmd, and then click OK.
- At the command prompt, type cipher /r:
file_name, and then press ENTER.
file_namerepresents the file name that you want to use. Use a file name that is meaningful to you. Do not add an extension to the file name.
- When you are prompted for a password to protect the .pfx file, type a password that you will easily remember.
- Make sure that the new .cer and .pfx files are created in the same folder as the file that you created in step 2b.
- Export the old EFS recovery agent certificate. To do this, follow these steps:
- On the domain controller, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
domain_name, and then click Properties.
- Click the Group Policy tab, click the Default Domain Policy Group Policy object (GPO), and then click Edit.
- Expand Computer Configuration, expand Windows Settings, Expand Security Settings, expand Public Key Policies, and then click Encrypted Data Recovery Agents.
- Right-click the current EFS recovery agent certificate, point to All Tasks, and then click Export.
- Follow the instructions in the Certificate Export Wizard to export the old EFS recovery agent certificate.
Important Make sure that you export the old EFS recovery agent certificate together with the private key to a .cer file. Keep the new EFS recovery agent .pfx file and the old EFS recovery agent .pfx file in a safe location.
- Right-click the old EFS recovery agent certificate, click Delete, and then click Yes.
- Right-click the Encrypted Data Recovery Agents folder, and then click Add.
- Click Next, and then click Browse Folders.
- Import the new .cer file from the Windows XP-based client computer or from the Windows Server 2003-based client computer, and then click Open.
Note When you open the .cer file, you will receive a message that states that the user is unknown. This message is expected. You will also receive a warning message from the Add Recovery Agent Wizard that the certificate is not trusted.
- Import the new .cer file from the Windows XP-based client computer or from the Windows Server 2003-based client computer into the Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certification Authorities folder.
- If you have multiple domain controllers, type secedit /refreshpolicy machine_policy /enforce at a command prompt to update Group Policy.
- Restart the client computer.
After you replace the EFS recovery agent certificate in the default domain policy, all new encrypted files will contain the new recovery agent. An encrypted file is updated with the new recovery agent only if one of the following conditions is true:
- A user who has received the updated Group Policy accesses the encrypted file.
- You ran the cipher /u command in a logon session.
You can recover old EFS data by using the default recovery agent private key. Even though the recovery agent certificate expires, the recovery agent private key does not expire. You do not have to use the cipher /u command to update all encrypted files by using the new recovery agent private key. You can use the cipher /u command if you have stored the old recovery agent private key or if you are not sure that you have the correct recovery agent private key.
To determine whether you have the correct default recovery agent private key, use one of the following methods:
- Type efsinfo /r /u /c at a command prompt against a folder that contains encrypted files. This command determines the default recovery agent certificate thumbprint of the current EFS files. Import the .pfx backup files of the default recovery agent certificate and the default recovery agent private key to a trusted computer by using the Certificates Microsoft Management Console (MMC) snap-in. Compare the imported default recovery agent certificate thumbprint with the results of the efsinfo /r /u /c command. If the thumbprint matches, you have the correct default recovery agent private key.
Note You must delete the .pfx backup files from the trusted computer after you use them.
- Type efsinfo /r /c /u at a command prompt to determine the following:
- The default recovery agent certificate thumbprint of the current EFS files
- The certificate thumbprint of the user who encrypted the data
- If you cannot find the default recovery agent together with the associated private key, log on to the first domain controller that was installed in the Windows 2000 domain or in the Windows Server 2003 domain. Log on to the domain controller by using the domain administrator account that was used to create the domain. Open the Certificates MMC snap-in, and look for a "You have a private key that corresponds to this certificate" message in the properties of any of the File Recovery certificates.
Note Click the General tab in the File Recovery Properties dialog box to locate the "You have a private key that corresponds to this certificate" message.
If you locate this message, export the corresponding File Recovery certificate together with the private key. If the export is successful, you have the correct default recovery agent private key.
If you do not locate the message, log on to the domain controller by using all other administrator-level accounts. These administrator-level accounts may have been used to log on to the domain controller the first time that the Active Directory directory service was installed. After you use an administrator-level account to log on on to the domain controller, check for any File Recovery certificates that have an associated private key.
After you create the new default recovery agent, connect to the domain, and then run the gpupdate /force command to apply the correct recovery policy.
If you use cached credentials to log on to the domain, you must obtain the changes to Group Policy to apply the new default recovery agent.
You cannot extend the life of the recovery agent certificate. The expired recovery agent certificate must be removed from the default domain policy. Windows 2000-based client computers require a valid recovery agent certificate. The Windows 2000-based client computers cannot encrypt any new documents until a valid recovery agent certificate is available.
When you install the first domain controller in a Windows 2000 domain or in a Windows Server 2003 domain, a default domain recovery agent certificate is created. The private key will be stored in the domain administrator’s profile on the first domain controller that is created in the domain. By default, this profile cannot be used as a roaming profile on other domain controllers. The default domain recovery agent certificate will have a three-year lifetime and cannot be renewed. When the default domain recovery agent certificate expires, use one of the following methods to replace the certificate:
- Obtain a new recovery agent certificate from a Microsoft Enterprise Certification Authority.
- Use the cipher command to create a new recovery agent certificate.
Note The cipher /r command generates an EFS recovery agent key and certificate and then writes the EFS recovery agent key and certificate to a .pfx file and a .cer file. The .pfx file contains the certificate and the recovery agent key. The .cer file contains only the certificate. An administrator can add the contents of the .cer file to the EFS recovery policy to create the recovery agent for users. Additionally, the administrator can import the .pfx file to recover individual files.
- Obtain a new recovery agent certificate from a third-party certification authority.
Keywords: kbtshoot kbexpertiseadvanced KB929103