EFS Issue

  • Thread starter Thread starter blankmonkey
  • Start date Start date
B

blankmonkey

Ok, here's the thing.
Back in the day we didn't use efs, and our first DC failed and was replaced.
Only later did we find out the DRA cert was on this server, and we now
needed to make a new one to get EFS to work. No problem, we created a DRA
account, and made it and admin with the DRA cert. But a side effect of this
is that we would have to go in and renew the cert in two years. So I
caefully wrote down the password, and forgot about it for one year and 10
months.

So now I go back, and I try to log into the DRA account, and it won't let me
in. In spite of the fact I carefully wrote down the password in detail, it
keeps telling me "The system can't log you on" and acts like the password is
bad. The password is 16 charicters long, random, and highly complex, and
can't be cracked (if you thing you can, please let me know).

So
1) What is going to happen when this cert expires?
2) Can I reset the password, and log in and renew the cert?
3) is there another way to renew this cert?

Thanks all for your help
smile.gif
 
Answers inline....

"blankmonkey" wrote in message
news:318F9864-A729-4230-A269-DA44A4604171@microsoft.com...
> Ok, here's the thing.
> Back in the day we didn't use efs, and our first DC failed and was
> replaced.
> Only later did we find out the DRA cert was on this server, and we now
> needed to make a new one to get EFS to work. No problem, we created a DRA
> account, and made it and admin with the DRA cert. But a side effect of
> this
> is that we would have to go in and renew the cert in two years. So I
> caefully wrote down the password, and forgot about it for one year and 10
> months.
>
> So now I go back, and I try to log into the DRA account, and it won't let
> me
> in. In spite of the fact I carefully wrote down the password in detail,
> it
> keeps telling me "The system can't log you on" and acts like the password
> is
> bad. The password is 16 charicters long, random, and highly complex, and
> can't be cracked (if you thing you can, please let me know).
>
> So
> 1) What is going to happen when this cert expires?

EFS will stop working

> 2) Can I reset the password, and log in and renew the cert?
As long as it is a domain account, you can reset the password and then log
on **AT THE COMPUTER WHERE YOU CREATED THE CERTIFICATE***
As long as the user profile is still intact, you will regain access to the
certificate.

> 3) is there another way to renew this cert?

You could manually create a certificate using CIPHER /R to generate a much
longer-lifed certificate.

>
> Thanks all for your help
smile.gif
 
Brian, ty for the reply.

So it sounds like I can just reset the password, logon to the account (same
machine) and renew the cert. Will I still be able to recover older files if
needed?

Also, your suggestion about

> You could manually create a certificate using CIPHER /R to generate a much
> longer-lifed certificate.

sounds like a great idea, but how would I replace the existing cert? Would
I still be able to un-encrypt older files? How would I associate the new
longer Cert with EFS?

Thanks again for your input and help!
smile.gif
 
more inline...
"blankmonkey" wrote in message
news:8E323B27-3C7A-411B-AE62-A997ECE249EC@microsoft.com...
> Brian, ty for the reply.
>
> So it sounds like I can just reset the password, logon to the account
> (same
> machine) and renew the cert. Will I still be able to recover older files
> if
> needed?

As long as you have access to the private key, yes.
>
> Also, your suggestion about
>
>> You could manually create a certificate using CIPHER /R to generate a
>> much
>> longer-lifed certificate.
>
> sounds like a great idea, but how would I replace the existing cert?

You would be generating the new certificate, and then replacing the old
certificate with the new one in AD.
You would still keep the old certificate and private key for operations.

Would
> I still be able to un-encrypt older files?
You would update the older files using CIPHER /U

How would I associate the new
> longer Cert with EFS?
>
Again, defining it in the Default Domain GPO under EFS

> Thanks again for your input and help!
smile.gif
 
Back
Top