Hi guys,Not really good with security, but I have an issue. Our original domain controller was also a root CA at 1 time(I know that is bad)and EFS certificates were issued to users(with a DRA as well) and working correctly. Since then we did make a new Root CA server and are keeping it offline and using 2 other subordinate issuing CA servers. Now we need to replace the original domain controller so I have a few questions. What will happen to the Users EFS files when the root CA that issued the certificate goes offline? What happens to EFS files that are encrypted when the EFS certificate expires?Any quick tips are appreciated.Thanks,DanDan Heim

Hi Dan,You mentioned that the Users were Issued a EFS Certificate so that they can Encrypt their Files. Now you are planning to replace the Domain Controller and get a new CA. Users would still be able to Decrypt the Files as they would still have the EFS Certificate in their Personal Store with the Private Key. Till the time they have theCertificate and access to Private Keys , they will have no issues in Decrypting the Files.The Private Key is stored in the User Profile and is Protected by DPAPI Componentwhich uses User's Credentials to protect the Store containing Private Keys. So, make sure not to change the User Passwords as it may cause some isssues. However if the User Certificate Expires then you won't be able to Encryptany more files, neither you would be able to edit or modify the existing ones.You will be able to Decrypt the 'Previously Encrypted Files' though.You might want to take a look at this Article -- http://technet.microsoft.com/en-us/library/bb457065.aspxSince you are moving to a new PKI Architecture, so i would recommend you to get New Certificates for the Users issued by the new CA.Here is a Article that provides detailed information about EFS -- http://technet.microsoft.com/en-us/library/cc700811.aspxPlease revert back if you have any queries.Thanks,Nitin

One more important thing, export DRA certificate and private key and store it in safe location, so you can recover older encrypted files if needed.Best regardsMartin Rublik