Unable to Recover Encrypted Files After the Domain Controller Is Demoted

When a Windows-based computer that is a domain controller is demoted to a member server by using the Active Directory Installation wizard (Dcpromo.exe), you are unable to recover Encrypting File System (EFS)-encrypted documents.

This issue can occur because the private key for the recovery agent for the local EFS-encrypted documents is lost during the demotion when the Security Accounts Manager (SAM) is recreated on that computer. You are unable to recover encrypted documents on this computer unless the recovery agent is changed to an existing domain account before encryption.

To resolve this issue, use either of the following methods:

• If you have previously exported the recovery agent's certificate, including the private key, reimport it.
  
  -or-
• Follow these steps:
  
  
  1. Decrypt all documents on the local computer. If there are files that were encrypted by a different user account, they can only be decrypted when you log on as that user.
  2. Log on as an administrator.
  3. Start the Certificates snap-in, and then request a new personal certificate that is suitable to use with EFS.
  4. Start the Local Security Policy snap-in, remove the administrator, and then reassign it as the system recovery agent.
  5. Reencrypt all of the documents.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.