Steven
Fri Aug 25 21:04:54 CDT 2006
I don't believe you have to delete it as long as the new one shows in Group
Policy. If you do remove it from Group Policy setting be sure NOT to delete
that certificate on the computer it exists or on backup media as you may
still need it sometime to decrypt a file that does not get updated with the
new RA. Be sure you add the new RA certificate to the same GPO that shows
the expired RA certificate. Possibly your computers have not refreshed Group
Policy yet to be aware of the new RA certificate as that can take up to two
hours though a reboot of a domain workstation should fix that right away.
You can run rsop.msc on any XP Pro domain computer that is in the scope of
influence of the Group Policy that contains the RA and you should see it in
the rsop.msc results if the GP has propagated correctly.
Steve
"Bob A" <BobA@discussions.microsoft.com> wrote in message
news:51970D6A-6E00-4BEB-BB55-45C5C5DCEF52@microsoft.com...
> Thanks Steve,
>
> I was able to request and install a new RA from the CA, but I still can't
> encrypt a file. same error about no recovery agent. Do I need to delete
> the
> expired certificate?
>
> v/r
>
> - Bob
>
> "Steven L Umbach" wrote:
>
>> Do you have a Certificate Authority on your network? If you do you can
>> request a new one from it while logged on as a domain level
>> administrator.
>> Otherwise you can use an XP Pro computer and use cipher to create a RA.
>> Then
>> you can import the .cer file created into the Group Policy where you have
>> the EFS RA configured. The .cer file is not sensitive but the .pfx file
>> is
>> as it contains the private key used for decryption and you need to
>> provide a
>> password for it. You want to keep the RA .pfx file on a secure computer
>> or
>> copy it to external media and keep in a couple safe places. Even if you
>> leave it on a secure computer keep a couple of copies in safe places and
>> do
>> NOT forget the password. The article below explains what you need to know
>> for XP Pro but in your case you want to import the RA certificate into
>> the
>> domain level Group Policy that is configured to use it which may be
>> Domain
>> Security Policy.
>>
>> Steve
>>
>>
http://support.microsoft.com/kb/887414
>>
>> "Bob A" <BobA@discussions.microsoft.com> wrote in message
>> news:C849B1DF-F4AD-4538-B6CE-5FBE350CFDA9@microsoft.com...
>> > Good Day. I have a Win2K AD domain controller with an expired
>> > Administrator
>> > certificate under the Domain Security Policy Encrypted Data Recovery
>> > Agents.
>> > I want to encrypt some files, but can't with an expired recovery agent
>> > certificate. How do I renew this certificate? Is there a "How to:"
>> > article
>> > with the step-by-step procedures? Google serch and technet search
>> > didn't
>> > yeild much.
>> >
>> > Thanks in advance,
>> >
>> > - Bob
>>
>>
>>