Guest blankmonkey Posted March 24, 2008 Share Posted March 24, 2008 Ok, here's the thing. Back in the day we didn't use efs, and our first DC failed and was replaced. Only later did we find out the DRA cert was on this server, and we now needed to make a new one to get EFS to work. No problem, we created a DRA account, and made it and admin with the DRA cert. But a side effect of this is that we would have to go in and renew the cert in two years. So I caefully wrote down the password, and forgot about it for one year and 10 months. So now I go back, and I try to log into the DRA account, and it won't let me in. In spite of the fact I carefully wrote down the password in detail, it keeps telling me "The system can't log you on" and acts like the password is bad. The password is 16 charicters long, random, and highly complex, and can't be cracked (if you thing you can, please let me know). So; 1) What is going to happen when this cert expires? 2) Can I reset the password, and log in and renew the cert? 3) is there another way to renew this cert? Thanks all for your help style_emoticons/ Quote Link to comment Share on other sites More sharing options...
Guest Brian Komar \(MVP\) Posted March 24, 2008 Share Posted March 24, 2008 Answers inline.... "blankmonkey" <blankmonkey@discussions.microsoft.com> wrote in message news:318F9864-A729-4230-A269-DA44A4604171@microsoft.com...<span style="color:blue"> > Ok, here's the thing. > Back in the day we didn't use efs, and our first DC failed and was > replaced. > Only later did we find out the DRA cert was on this server, and we now > needed to make a new one to get EFS to work. No problem, we created a DRA > account, and made it and admin with the DRA cert. But a side effect of > this > is that we would have to go in and renew the cert in two years. So I > caefully wrote down the password, and forgot about it for one year and 10 > months. > > So now I go back, and I try to log into the DRA account, and it won't let > me > in. In spite of the fact I carefully wrote down the password in detail, > it > keeps telling me "The system can't log you on" and acts like the password > is > bad. The password is 16 charicters long, random, and highly complex, and > can't be cracked (if you thing you can, please let me know). > > So; > 1) What is going to happen when this cert expires?</span> EFS will stop working <span style="color:blue"> > 2) Can I reset the password, and log in and renew the cert?</span> As long as it is a domain account, you can reset the password and then log on AT THE COMPUTER WHERE YOU CREATED THE CERTIFICATE As long as the user profile is still intact, you will regain access to the certificate. <span style="color:blue"> > 3) is there another way to renew this cert?</span> You could manually create a certificate using CIPHER /R to generate a much longer-lifed certificate. <span style="color:blue"> > > Thanks all for your help style_emoticons/ </span> Quote Link to comment Share on other sites More sharing options...
Guest blankmonkey Posted March 24, 2008 Share Posted March 24, 2008 Brian, ty for the reply. So it sounds like I can just reset the password, logon to the account (same machine) and renew the cert. Will I still be able to recover older files if needed? Also, your suggestion about <span style="color:blue"> > You could manually create a certificate using CIPHER /R to generate a much > longer-lifed certificate.</span> sounds like a great idea, but how would I replace the existing cert? Would I still be able to un-encrypt older files? How would I associate the new longer Cert with EFS? Thanks again for your input and help! style_emoticons/ Quote Link to comment Share on other sites More sharing options...
Guest Brian Komar \(MVP\) Posted March 25, 2008 Share Posted March 25, 2008 more inline... "blankmonkey" <blankmonkey@discussions.microsoft.com> wrote in message news:8E323B27-3C7A-411B-AE62-A997ECE249EC@microsoft.com...<span style="color:blue"> > Brian, ty for the reply. > > So it sounds like I can just reset the password, logon to the account > (same > machine) and renew the cert. Will I still be able to recover older files > if > needed?</span> As long as you have access to the private key, yes.<span style="color:blue"> > > Also, your suggestion about ><span style="color:green"> >> You could manually create a certificate using CIPHER /R to generate a >> much >> longer-lifed certificate.</span> > > sounds like a great idea, but how would I replace the existing cert?</span> You would be generating the new certificate, and then replacing the old certificate with the new one in AD. You would still keep the old certificate and private key for operations. Would<span style="color:blue"> > I still be able to un-encrypt older files?</span> You would update the older files using CIPHER /U How would I associate the new<span style="color:blue"> > longer Cert with EFS? ></span> Again, defining it in the Default Domain GPO under EFS <span style="color:blue"> > Thanks again for your input and help! style_emoticons/ </span> Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.