Steven L Umbach
05-10-2004, 11:46 PM
I realize my suggestion for using a CA to issue EFS RA certificates will not
work in the situation you are in as it will only work when using an
Enterprise CA in a domain as that certificate is not available on a stand
alone CA so scratch that recommendation. Sorry for the confusion. --- Steve
"Steven L Umbach" <n9rou@nscomcast.net> wrote in message news:...
> I have tried using that procedure and had to reboot before the new RA woud
> work and you may need to follow the instuctions on deleteing the current
RA
> from the Local Security Policy. My experience with using regsvr32
> sclgntfy.dll to regenerate a Recovery Agent in W2K is that it will only
work
> on the built in administrator account even if you logon as a different
user
> to try it. I found if I first export the original RA certificate and
private
> key to a .pfx file first [selecting delete private key during export] and
> then delete the certificate from the personal certificate store, I can
then
> generate the new RA for administrator and it is automatically added to
Local
> Security Policy as RA [reboot may be needed]. Then I could go back and
> import the original certificate/private key from the .pfx file. After that
I
> could export the certificate only to a .cer file and also add it to the
> Local Security Policy as an RA via "add" and select folder where the
> certificate was exported to. Then there would be two RA certificates, but
> both for the built in administrator account.
>
> Personally I would rather install the Certificate Authority on your server
> and use it to generate RA certificates as it is really not hard to do or
> experimenting with a RA certificate generated on an XP Pro box using the
> cipher /r command as Drew Cooper suggested. --- Steve
>
> "Klaus" <kdpdel@telus.net> wrote in message
> news:93de0f5c.0405091706.27ebac84@posting.google.com...
> > Steve, sorry to respond late (I was away for a while). I tried to
> > re-register the RA using http://support.microsoft.com/?kbid=257705 but
> > it did not work for me as outlined.
> >
> > Had no problem with the following the instructions but after I
> > completed all the steps and logged on with new recovery agent I
> > noticed that I no longer could encrypt files (got message "there is no
> > valid encryption recovery policy configured for this system).
> >
> > When I checked the server's local security settings, there was no
> > Recovery Agent defind under folders Public Key Policies > Encrypted
> > File System
> >
> > I even tried to logon with the original RA (administrator) to see if
> > this would recreate the original recovery agent but no luck either.
> >
> > Any quick idea or should I lean with going with Windows 2003, which
> > seems to have more EFS options/flexibility ?
> >
> >
> >
> >
> > "Steven L Umbach" <sumbach@N0spam.ameritech.net> wrote in message
> news:<uHD1FfJKEHA.4032@TK2MSFTNGP10.phx.gbl>...
> > > I know you can replace the existing RA, bit I don't think you can add
> > > another one without a Certificate Authority which is why you are
having
> the
> > > difficulty you are. W2K server has the capabilty to become a CA in
> > > add/remove windows components. You might try adding another one as
> described
> > > in how to replace an existing one in the KB link but I would be very
> careful
> > > and use efsinfo to view the results. --- Steve
> > >
> > > http://support.microsoft.com/?kbid=257705
> > >
tp://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B243026 ---
> efsinfo.
> > > http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316 ---
> anyone
> > > using EFS should read this.
> > >
> > > "Klaus" <kdpdel@telus.net> wrote in message
> > > news:93de0f5c.0404220913.afbefbb@posting.google.com...
> > > > Looking for information to add a 2nd EFS recovery agent
> > > > (non-administrator account) to a Windows 2000 standalone server.
> > > >
> > > > Having troubles creating a valid .cer file in Windows 2000, that is
> > > > required when running the W2K recovery agent wizard via MMC Local
> > > > group policy interface (local computer policy > windows settings >
> > > > security settings > public key policies > encrypted data recovery
> > > > agent).
> > > >
> > > > Is there an equivalant "cipher /r" (used in windows 2003) command
that
> > > > I can use in Windows 2000 to create a .cer file ?
> > > >
> > > > Using the MMC Certificate snapin (certificate - current user >
> > > > personal > certificates)to export a certificate to a .cer file,
while
> > > > logged into server with account to be used for 2nd recovery agent
> > > > user, did not produce a .cer file that was accepted.
>
>
work in the situation you are in as it will only work when using an
Enterprise CA in a domain as that certificate is not available on a stand
alone CA so scratch that recommendation. Sorry for the confusion. --- Steve
"Steven L Umbach" <n9rou@nscomcast.net> wrote in message news:...
> I have tried using that procedure and had to reboot before the new RA woud
> work and you may need to follow the instuctions on deleteing the current
RA
> from the Local Security Policy. My experience with using regsvr32
> sclgntfy.dll to regenerate a Recovery Agent in W2K is that it will only
work
> on the built in administrator account even if you logon as a different
user
> to try it. I found if I first export the original RA certificate and
private
> key to a .pfx file first [selecting delete private key during export] and
> then delete the certificate from the personal certificate store, I can
then
> generate the new RA for administrator and it is automatically added to
Local
> Security Policy as RA [reboot may be needed]. Then I could go back and
> import the original certificate/private key from the .pfx file. After that
I
> could export the certificate only to a .cer file and also add it to the
> Local Security Policy as an RA via "add" and select folder where the
> certificate was exported to. Then there would be two RA certificates, but
> both for the built in administrator account.
>
> Personally I would rather install the Certificate Authority on your server
> and use it to generate RA certificates as it is really not hard to do or
> experimenting with a RA certificate generated on an XP Pro box using the
> cipher /r command as Drew Cooper suggested. --- Steve
>
> "Klaus" <kdpdel@telus.net> wrote in message
> news:93de0f5c.0405091706.27ebac84@posting.google.com...
> > Steve, sorry to respond late (I was away for a while). I tried to
> > re-register the RA using http://support.microsoft.com/?kbid=257705 but
> > it did not work for me as outlined.
> >
> > Had no problem with the following the instructions but after I
> > completed all the steps and logged on with new recovery agent I
> > noticed that I no longer could encrypt files (got message "there is no
> > valid encryption recovery policy configured for this system).
> >
> > When I checked the server's local security settings, there was no
> > Recovery Agent defind under folders Public Key Policies > Encrypted
> > File System
> >
> > I even tried to logon with the original RA (administrator) to see if
> > this would recreate the original recovery agent but no luck either.
> >
> > Any quick idea or should I lean with going with Windows 2003, which
> > seems to have more EFS options/flexibility ?
> >
> >
> >
> >
> > "Steven L Umbach" <sumbach@N0spam.ameritech.net> wrote in message
> news:<uHD1FfJKEHA.4032@TK2MSFTNGP10.phx.gbl>...
> > > I know you can replace the existing RA, bit I don't think you can add
> > > another one without a Certificate Authority which is why you are
having
> the
> > > difficulty you are. W2K server has the capabilty to become a CA in
> > > add/remove windows components. You might try adding another one as
> described
> > > in how to replace an existing one in the KB link but I would be very
> careful
> > > and use efsinfo to view the results. --- Steve
> > >
> > > http://support.microsoft.com/?kbid=257705
> > >
tp://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B243026 ---
> efsinfo.
> > > http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316 ---
> anyone
> > > using EFS should read this.
> > >
> > > "Klaus" <kdpdel@telus.net> wrote in message
> > > news:93de0f5c.0404220913.afbefbb@posting.google.com...
> > > > Looking for information to add a 2nd EFS recovery agent
> > > > (non-administrator account) to a Windows 2000 standalone server.
> > > >
> > > > Having troubles creating a valid .cer file in Windows 2000, that is
> > > > required when running the W2K recovery agent wizard via MMC Local
> > > > group policy interface (local computer policy > windows settings >
> > > > security settings > public key policies > encrypted data recovery
> > > > agent).
> > > >
> > > > Is there an equivalant "cipher /r" (used in windows 2003) command
that
> > > > I can use in Windows 2000 to create a .cer file ?
> > > >
> > > > Using the MMC Certificate snapin (certificate - current user >
> > > > personal > certificates)to export a certificate to a .cer file,
while
> > > > logged into server with account to be used for 2nd recovery agent
> > > > user, did not produce a .cer file that was accepted.
>
>