EFS and the domain

So, if the administrator on the first DC in the domain is the default EFS
recovery agent and
my office grows to 5 DCs and 100 users with EFS folders all over the place
for various reasons
AND I demote the first DC because it is an old PC and tooooo slow
Where does the EFS recovery keys go?

Herb
Fri Nov 28 03:00:04 CST 2003

"Nettransplant" <nettransplant@hotmail.com> wrote in message
news:RTCxb.510406$6C4.146363@pd7tw1no...
> So, if the administrator on the first DC in the domain is the default EFS
> recovery agent and
> my office grows to 5 DCs and 100 users with EFS folders all over the place
> for various reasons
> AND I demote the first DC because it is an old PC and tooooo slow
> Where does the EFS recovery keys go?

It's not the "Adminstator on the first DC" but rather the "first
Administrator
on the Domain".

DCs don't have local accounts (when operating as DCs), but rather the
administrator
is a domain account.

(DCs do have a private SAM or local accounts database that is ONLY ACTIVE
when they are booted into either the "Recovery Console" or in "Directory
Services
Restore mode". The admin account there has no domain privileges or
responsibilities,
except maintenance on the DC.)
--
Herb Martin
>
>
>

Nettransplant
Fri Nov 28 23:13:42 CST 2003

Thanks, clear now.

"Herb Martin" <news@LearnQuick.com> wrote in message
news:%23tVqE4YtDHA.2448@TK2MSFTNGP09.phx.gbl...
> "Nettransplant" <nettransplant@hotmail.com> wrote in message
> news:RTCxb.510406$6C4.146363@pd7tw1no...
> > So, if the administrator on the first DC in the domain is the default
EFS
> > recovery agent and
> > my office grows to 5 DCs and 100 users with EFS folders all over the
place
> > for various reasons
> > AND I demote the first DC because it is an old PC and tooooo slow
> > Where does the EFS recovery keys go?
>
> It's not the "Adminstator on the first DC" but rather the "first
> Administrator
> on the Domain".
>
> DCs don't have local accounts (when operating as DCs), but rather the
> administrator
> is a domain account.
>
> (DCs do have a private SAM or local accounts database that is ONLY ACTIVE
> when they are booted into either the "Recovery Console" or in "Directory
> Services
> Restore mode". The admin account there has no domain privileges or
> responsibilities,
> except maintenance on the DC.)
> --
> Herb Martin
> >
> >
> >
>
>

Herb
Sat Nov 29 04:42:41 CST 2003

BTW, Does everyone remember (all of) their DC "local admin passwords"?

Good practice says this should NOT be the same as the Domain Admins,
and probably shouldn't be the same on more than one DC.

Since it is seldom used (if things go right), it is essential to REMEMBER
the
DC local password (or even write it down and lock it up.)

--
Herb Martin
"Nettransplant" <nettransplant@hotmail.com> wrote in message
news:aWVxb.518038$pl3.209492@pd7tw3no...
> Thanks, clear now.
>
> "Herb Martin" <news@LearnQuick.com> wrote in message
> news:%23tVqE4YtDHA.2448@TK2MSFTNGP09.phx.gbl...
> > "Nettransplant" <nettransplant@hotmail.com> wrote in message
> > news:RTCxb.510406$6C4.146363@pd7tw1no...
> > > So, if the administrator on the first DC in the domain is the default
> EFS
> > > recovery agent and
> > > my office grows to 5 DCs and 100 users with EFS folders all over the
> place
> > > for various reasons
> > > AND I demote the first DC because it is an old PC and tooooo slow
> > > Where does the EFS recovery keys go?
> >
> > It's not the "Adminstator on the first DC" but rather the "first
> > Administrator
> > on the Domain".
> >
> > DCs don't have local accounts (when operating as DCs), but rather the
> > administrator
> > is a domain account.
> >
> > (DCs do have a private SAM or local accounts database that is ONLY
ACTIVE
> > when they are booted into either the "Recovery Console" or in "Directory
> > Services
> > Restore mode". The admin account there has no domain privileges or
> > responsibilities,
> > except maintenance on the DC.)
> > --
> > Herb Martin
> > >
> > >
> > >
> >
> >
>
>

Roger
Sun Nov 30 17:09:34 CST 2003

"Herb Martin" <news@LearnQuick.com> wrote in message
news:OLOKFWmtDHA.3496@TK2MSFTNGP11.phx.gbl...
> BTW, Does everyone remember (all of) their DC "local admin passwords"?
>
> Good practice says this should NOT be the same as the Domain Admins,
> and probably shouldn't be the same on more than one DC.
>
> Since it is seldom used (if things go right), it is essential to REMEMBER
> the
> DC local password (or even write it down and lock it up.)
>
> --
> Herb Martin

And I might add, the name the Adminsitrator account
was renamed to be. Remember, local security policy
does have an effect on this account in the local SAM.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA

> "Nettransplant" <nettransplant@hotmail.com> wrote in message
> news:aWVxb.518038$pl3.209492@pd7tw3no...
> > Thanks, clear now.
> >
> > "Herb Martin" <news@LearnQuick.com> wrote in message
> > news:%23tVqE4YtDHA.2448@TK2MSFTNGP09.phx.gbl...
> > > "Nettransplant" <nettransplant@hotmail.com> wrote in message
> > > news:RTCxb.510406$6C4.146363@pd7tw1no...
> > > > So, if the administrator on the first DC in the domain is the
default
> > EFS
> > > > recovery agent and
> > > > my office grows to 5 DCs and 100 users with EFS folders all over the
> > place
> > > > for various reasons
> > > > AND I demote the first DC because it is an old PC and tooooo slow
> > > > Where does the EFS recovery keys go?
> > >
> > > It's not the "Adminstator on the first DC" but rather the "first
> > > Administrator
> > > on the Domain".
> > >
> > > DCs don't have local accounts (when operating as DCs), but rather the
> > > administrator
> > > is a domain account.
> > >
> > > (DCs do have a private SAM or local accounts database that is ONLY
> ACTIVE
> > > when they are booted into either the "Recovery Console" or in
"Directory
> > > Services
> > > Restore mode". The admin account there has no domain privileges or
> > > responsibilities,
> > > except maintenance on the DC.)
> > > --
> > > Herb Martin
> > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>