This article describes how to back up the data recovery agent certificate together with the private key in a Windows Server 2003-based domain. You can use this backup to recover encrypted data on a client computer in the domain.
In a Windows Server 2003-based domain environment that uses roaming user profiles and the Encrypting File System (EFS) for data encryption, you may accidentally lose or delete the EFS certificate on a client computer. After you lose or delete an EFS certificate, you cannot access any of the encrypted data on the client. However, you can recover the encrypted data by using the default data recovery agent certificate for the domain. The data recovery agent certificate for the domain is located on the first domain controller that was installed in the domain. The built-in Administrator account on the first domain controller is the data recovery agent.
To recover the domain recovery agent certificate together with the private key, follow these steps:
Locate the first domain controller that was installed in the domain.
Use the built-in Administrator account to log on to the domain controller.
Click Start, click Run, type mmc, and then click OK.
On the File menu, click Add/Remove Snap-in, and then click Add.
Under Available Standalone Snap-ins, click Certificates, and then click Add.
Click My user account, and then click Finish.
Click Close, and then click OK.
Double-click Certificates - Current User, double-click Personal, and then double-click Certificates.
Locate the certificate that displays "File Recovery" (without the quotation marks) in the Intended Purposes column.
Make sure that you have selected the correct data recovery agent certificate. To do this, follow these steps:
Right-click the certificate, and then click Open.
In the Certificate dialog box, click the Details tab.
In the Field column, locate and then click Thumbprint. Note the Thumbprint value. For example, the Thumbprint value will resemble the following:
3b 38 5f 14 20 89 13 ea fa c5 c1 e8 e7 3e 85 79 76 7d 98 23
On the client computer, right-click the encrypted file that you want to recover, and then click Properties.
On the General tab, click Advanced.
In the Advanced Attributes dialog box, click Details under Compress or Encrypt attributes.
In the Data Recovery Agents for This File as defined by Recovery Policy list, note the certificate thumbprint value for the data recovery agent that is mentioned in the file properties. Make sure that the thumbprint value that you noted for the data recovery agent certificate in step 10c matches the thumbprint value that is displayed on the file properties. If the thumbprint values do not match, select another certificate, and then repeat steps 10a through 10g.
After you locate the correct data recovery agent certificate in the certificate store, right-click the certificate that you located in step 9, point to All Tasks, and then click Export. The Certificate Export Wizard starts.
Click Yes, export the private key, and then click Next.
Click Personal Information Exchange – PKCS #12 (.PFX), and then click Next.
In the Password box, type the password that you want to specify to protect the certificate from unauthorized use.
In the Confirm password box, retype the password, and then click Next.
Specify a file name and a location to which you want to export the certificate and the private key, and then click Next.
Note We recommend that you back up the file to a disk or to a removable media device. Store the backup in a location in which you can confirm the physical security of the backup.
Verify the settings that are displayed on the Completing the Certificate Export Wizard page, and then click Finish.