EFS Issue

B

blankmonkey

Guest
Ok, here's the thing.

Back in the day we didn't use efs, and our first DC failed and was replaced.

Only later did we find out the DRA cert was on this server, and we now

needed to make a new one to get EFS to work. No problem, we created a DRA

account, and made it and admin with the DRA cert. But a side effect of this

is that we would have to go in and renew the cert in two years. So I

caefully wrote down the password, and forgot about it for one year and 10

months.

So now I go back, and I try to log into the DRA account, and it won't let me

in. In spite of the fact I carefully wrote down the password in detail, it

keeps telling me "The system can't log you on" and acts like the password is

bad. The password is 16 charicters long, random, and highly complex, and

can't be cracked (if you thing you can, please let me know).

So;

1) What is going to happen when this cert expires?

2) Can I reset the password, and log in and renew the cert?

3) is there another way to renew this cert?

Thanks all for your help style_emoticons/

 
B

Brian Komar \(MVP\)

Guest
Answers inline....

"blankmonkey" <blankmonkey@discussions.microsoft.com> wrote in message

news:318F9864-A729-4230-A269-DA44A4604171@microsoft.com...<span style="color:blue">

> Ok, here's the thing.

> Back in the day we didn't use efs, and our first DC failed and was

> replaced.

> Only later did we find out the DRA cert was on this server, and we now

> needed to make a new one to get EFS to work. No problem, we created a DRA

> account, and made it and admin with the DRA cert. But a side effect of

> this

> is that we would have to go in and renew the cert in two years. So I

> caefully wrote down the password, and forgot about it for one year and 10

> months.

>

> So now I go back, and I try to log into the DRA account, and it won't let

> me

> in. In spite of the fact I carefully wrote down the password in detail,

> it

> keeps telling me "The system can't log you on" and acts like the password

> is

> bad. The password is 16 charicters long, random, and highly complex, and

> can't be cracked (if you thing you can, please let me know).

>

> So;

> 1) What is going to happen when this cert expires?</span>

EFS will stop working

<span style="color:blue">

> 2) Can I reset the password, and log in and renew the cert?</span>

As long as it is a domain account, you can reset the password and then log

on AT THE COMPUTER WHERE YOU CREATED THE CERTIFICATE

As long as the user profile is still intact, you will regain access to the

certificate.

<span style="color:blue">

> 3) is there another way to renew this cert?</span>

You could manually create a certificate using CIPHER /R to generate a much

longer-lifed certificate.

<span style="color:blue">

>

> Thanks all for your help style_emoticons/ </span>

 
B

blankmonkey

Guest
Brian, ty for the reply.

So it sounds like I can just reset the password, logon to the account (same

machine) and renew the cert. Will I still be able to recover older files if

needed?

Also, your suggestion about

<span style="color:blue">

> You could manually create a certificate using CIPHER /R to generate a much

> longer-lifed certificate.</span>

sounds like a great idea, but how would I replace the existing cert? Would

I still be able to un-encrypt older files? How would I associate the new

longer Cert with EFS?

Thanks again for your input and help! style_emoticons/

 
B

Brian Komar \(MVP\)

Guest
more inline...

"blankmonkey" <blankmonkey@discussions.microsoft.com> wrote in message

news:8E323B27-3C7A-411B-AE62-A997ECE249EC@microsoft.com...<span style="color:blue">

> Brian, ty for the reply.

>

> So it sounds like I can just reset the password, logon to the account

> (same

> machine) and renew the cert. Will I still be able to recover older files

> if

> needed?</span>

As long as you have access to the private key, yes.<span style="color:blue">

>

> Also, your suggestion about

><span style="color:green">

>> You could manually create a certificate using CIPHER /R to generate a

>> much

>> longer-lifed certificate.</span>

>

> sounds like a great idea, but how would I replace the existing cert?</span>

You would be generating the new certificate, and then replacing the old

certificate with the new one in AD.

You would still keep the old certificate and private key for operations.

Would<span style="color:blue">

> I still be able to un-encrypt older files?</span>

You would update the older files using CIPHER /U

How would I associate the new<span style="color:blue">

> longer Cert with EFS?

></span>

Again, defining it in the Default Domain GPO under EFS

<span style="color:blue">

> Thanks again for your input and help! style_emoticons/ </span>

 
You must log in or register to reply here.
Top Bottom