We are trying to implement domain based EFS for our laptops. We have createdall the relevent KRA/DRA's on our Server 2003 R2 SP2Enterprise CA. Testing on an XP SP3client system we can successfully encrypt files with a certificate provided by the CA. Our users work on multiple PC's so we then decided to implement Credential Roaming. Following Microsoft's guide we updated our AD schema (by doing a Server 2008 "adprep /forestprep") and configured relevant group policies as recommended.In our lab with have two laptops setup to logon with local profiles only. If we logon 'User1' to the first laptop they get a certificate issued from the CA which allows them to encrypt files on the machine. If we look at User1's AD account the certificate appears under Published Certificates. However, the problem starts when we try to roam to the second laptop. 'User1' logs on and tries to encrypt a file. The error message "No EFS certificate available" appears. If we look in CertMgr.msc we can see the certificate listed under 'Active Directory User Object' on this laptop. If we run efsinfo /Y on laptop 1 we get the correct certificate thumbnail displayed. The same command on laptop 2 displays nothing.If we copy the 'systemcertificates','crypto', and 'protect' folders over from User1's local profile on the first laptop we can encrypt successfully.Can anyone suggest where we are going wrong?

You have not deployed CRS correctly. WHen deployed correctly, the certificates stored in AD (in the CRS attributes, not in the userCertificate attribute) will load at each client computer during the initial logon (before autoenrollment requests are processed).Typically, this is due to not running "krdeploy.cmd --set-sdagainst *each* domain in the forest.There could be other errors though.Ensure that you follow *all* procedures in the following article:http://technet.microsoft.com/en-us/library/cc700821.aspxBrian

Thanks Brian, having had another look at the documentation we hadn't set the security descriptors. I ran adprep /domainprep to change the security and now everything is working.

Will the credential romaing help in a scenario where we are encrypting files on a remoteserver (that too it is a Windows 2000 based file server) ? Meaning will my local EFS cert on a XP w/s be able to roam to a windows 2000 server where my files are stored and i am trying to encrypt files.I know of the romain profiles option but as we do not have roaming profiles we are in a fix - The server is enrolling a EFS cert on users behalf which is good but the problem is that users do not know which cert to add for target users to share (as they see multiple certificates when adding a user to share) - Also it seems like you cna only add one certificate for a user when sharing vai EFS.Thanks in Advance..Prakash

Brian, I have followed all the steps in the technet article and I'm not sure if I've hit a stumbling block or not. After the "--set-sd" step, I did the first verification step and it matched perfectly. Then I ran a few dsacls.exe's against some users to check their permissions. For most, but not all, the permissions are as they should be. At least the output from teh dsacls.exe matches the technet article. For several users, no output is returned. So, have I done something wrong? I've waited nearly 24 hours after running the "--set-sd" command to be sure it had time to propagate. Thanks for any assistance you can provide!! KH