Hi, Our DRA certificate is about to expire. We need to renew it. Below is a plan to accomplish this. Please can a PKI guru verify that this is a viable process. My question is regarding the status of the DRA private key once the process is complete. Best practice is that the private key is exported off the DC and then deleted, that in the future it is no longer exportable off the DC. How is this accomplished? Thanks.. 1. Default Domain Group Policy Editor -> Create Data Recovery Agent Comp->Windows Settings->Security Settings->Public Key Policies->Encrypting File System 2. Export private key 3. Store private key and password in secure location Password need to be printed and put in the safe with the DRA Certificate and Private Key. 4. Run "cipher /u" as a login script 5. Test decryption with new DRA

The only thing I would change is to generate the DRA certificate using Cipher /R Filename This will generate a 100 year certificate (no more updating) in both a .CER and a .PFX format The .CER can be designated in the Default Domain group policy (EFS Data Recovery Agent) The PFX file can be saved to a safe location for storage (or optionally, use the /SMARTCARD option and store the private key on a smart card) Brian

Hi, Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance. Have a great day! Regards Kevin TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

Hi Kevin, I opted to create a 2 year DRA cert. I desperately need assistance in getting the DRA account working properly. I have posted a full account of my issues on another thread. I will paste it below for you. Could you escalate or a PKI guru to it for me please. I have a 2008R2 PKI infrastructure set up with an offline root CA and a single issuing CA. I am wanting to renew the DRA cert but after going through the process I am still unable to decrypt data :( The process taken so far goes as follows: - EFS and EFS Recovery Agent certificate templates created and activated on issuing CA. - Enterprise Admin DRA account created with all permissions on templates except Full Control - Logged onto issuing CA with DRA account. Requested cert in web interface using EFS Recovery Agent template. Marked private key as exportable. - Installed cert on issuing CA. - On DC under default domain policy: * Computer -> Windows Settings-> Security Settings-> Public Key Policies - EFS * Deleted existing cert * Chose add DRA (create new DRA threw an error) * Browsed for DRA account in AD * We then had to choose from a list of certificates. Chose EFS Recovery Agent cert newly created. (note that I could not export this cert off the DC???) - On issuing CA: * exported EFS Recovery Agent cert On 2 test pc's: * ran gpupdate /force * ran cipher /u On Test pcA: * imported RA cert On Test pcB: * encrypted test file In theory I should now be able to decrypt file encrypted on pcB... but alas Access Denied. I have used efsinfo tool and when run against encrypted test file, no recovery agent is listed.

EFS encryption is a *local* encryption technology Here is your error On TestpcB: Log on as a different account an import the DRA certificate and private key Attempt to decrypt the encrypted test file on TestpcB from TestpcA (it will never work) Brian

Hi Brian, In our previous PKI infrastructure, we had managed to set up a single workstation with the DRA cert imported onto it. Any data encrypted by anyone on the domain was then able to be decrypted from this workstation - removable hdds, flashdrives or even laptop hard drives slaved to the workstation. I am trying to set this up again as we have migrated to new PKI infrastructure and the old DRA cert has expired. Need to set up a new DRA cert and test it to see that it can decrypt everything like the old one. Help is always greatly appreciated. Guy

OK, you never mentioned that you moved the drives from testpcB to testpcA (huge gap) It looks like your cipher /U is failing (either the user or the previous DRA must have access to the file to change the DRA to the new one) the DRA change over process does not do revocation checking, so that is where you have to focus your efforts Personally, I have abandoned using DRAs and prefer to use KRAs (a lot less work) Brian

Hi, As this thread has been quiet for a while, we will mark it as Answered as the information provided should be helpful. If you need further help, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish. BTW, wed love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts. Best Regards Kevin TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.