SBS 2011 How To Backup Your EFS Recovery Agent Certificate

Backup your EFS what? That is the reaction I have had from most people I mentioned this to.

I am working on a document to walk through migrating Active Directory from SBS 2011 to Windows Server 2016. As part of that document I wanted to include backing up the EFS Recovery Agent Certificate. Only I couldn’t because on my SBS Server, something had broken.

First off, a bit of background. If you don’t know, EFS is the Encrypted File System that is built into Windows. It allows anyone to encrypt a file.

The encryption is done using digital certificates, and as part of that process, Windows assigns something called a Data Recovery Agent (DRA).

In most cases a DRA will be the Administrator. On a Workgroup PC, the Local Administrator.

In a Domain environment, it is specified in the EFS Policy, which is part of the Default Domain Policy. and by default it is the BuiltIn Administrator.

I don’t want to get too bogged down in how EFS works because there is plenty of better documentation out there on TechNet and other places. However there are some crucial pieces of information I want to touch on.

Firstly, you may know a digital certificate is made up of two keys, a public key and a private key. The private key, in this case is stored in a folder inside the users profile in C:\Users\<user>\AppData\Roaming\Microsoft\Crypto\RSA

Inside this RSA folder you will find a folder named after the SID of the user in question.


Inside this folder are all the private keys for the certificates the user holds.

Second, these keys are all themselves encrypted.

Thirdly, the Default Domain Policy lists only the public key of the DRA Certificate. This is to ensure that all domain PCs are protected by the same DRA. This is the EFS Recovery Policy

Lastly, the private key of the DRA certificate for your domain, is only available on the First Domain Controller in the domain.

In this example we can see the properties of an Encrypted file. Note the users certificate thumbprint, and the DRA certificate thumbprint.


So if you migrated your SBS from an earlier version, you would not find this on your SBS, but on the previous DC. In the case of a Domain that started on 2000 and moved to 2011 you would need to look on that 2000 server to find the key.

From reading that last paragraph you will no doubt already have an idea about whether or not you can recover your key. If you can’t, we can create a new DRA however any files already encrypted would likely be unrecoverable. More about that in a moment.

If your SBS 2011 was a clean install, you will need to first Enable the Built-in Administrator account.

In ADUC go to Users, right click Administrator, click on Enable. Do not Change the Password.


If you do not know the password, it will be set to the same as the Password created for your SBS admin account when you installed the Server.

This is where things got tricky for me. As I said above, the Private Key is encrypted. It is encrypted with the Password of the User Account, at the time the file is created. If the Password is any other value, your account cannot decrypt the key or use the certificate.

It doesn’t matter if the Password has been changed 100 times since install and now, as long as you can change it back to the exact value it was when the SBS was installed, you won’t have a problem.

Now connect to the SBS and logon as the Administrator account.

Open an MMC, and the Certificates snapin, for the My User object.

MMC Cert

Expand Personal, Certificates.

You will see a Certificate, issued by Administrator for File Recovery. This is what we want!

cert snap

Right click, go to all tasks and export.

Follow the Certificate Export Wizard, being sure to Export the Private Key.

Cert Export

If you see the option to Export the Private Key is greyed out, then your Administrator account Password does not match the value when the Server was installed.

cert no like

Assuming your export was successful, you can log off and disable the Administrator account again.

Next we can import that Certificate into our SBS Admin user profile to allow us to unencrypt any files that have previously been encrypted using EFS, we can also make sure to store the PFX file with the private key safely somewhere so we don’t lose it again.

To import the certificate, simply follow the same instructions but choose import not export. Also chose to mark the private key as exportable so you can back it up later. You can also consider using Strong Private Key protection, or simply not importing the certificate again until it is required.

can export

Now, if you do not know the password or, the SBS was migrated you probably wont be able to recover this key.

It is not a disaster, unless you need to use the DRA. and the circumstances that would lead to that can be quite convoluted, but as an example lets assume User A encrypts a file and loses their private key. That could be because they moved PCs, changed their password or left the organisation.

That file would be lost unless you can recover their private key. This scenario is why the DRA exists, an account designated as a DRA would be able to decrypt that file.


What to do next?

If you recovered your Private Key you can probably stick as is, the self generated key is valid for 100 years.

If you didn’t, We can add a new DRA to the Default Domain Policy to try and avoid any future issues.

You can also disable the use of EFS, but I don’t really want to advocate for that!

Open up Group Policy Management, Find the Default Domain Policy.

Right click that and go to Edit.

Expand Computer Configuration > Policies> Windows Settings > Security Settings > Public Key Policies

Find Encrypted File System. In the details pane you will see the existing certificate.

DRA Policy

Right click the details pane, and click New > Create Data Recovery Agent.

create dra

A new DRA is added to the policy, for the account you are logged on with.

dra issues 2

If we go back to the Certificates MMC for the SBS Admin we can see our new EFS Recovery

dra issued

We can now export and safely store this certificate.

About Robert Pearman
Robert Pearman is a UK based Small Business Server enthusiast. He has been working within the SMB IT Industry for what feels like forever. Robert likes Piña colada and taking walks in the rain, on occasion he also enjoys writing about Small Business Technology like Windows Server Essentials or more recently writing PowerShell Scripts. If you're in trouble, and you can find him, maybe you can ask him a question.

5 Responses to SBS 2011 How To Backup Your EFS Recovery Agent Certificate

  1. David Moen says:

    Excellent resource for the rest of us Robert! Thanks very much for taking the time to put this info up! Once question for you though. After installing a new server into an SBS2011 network using your instructions, my new Server 2016 DC has no management tools for DNS, DHCP or AD. I know that if these roles are installed using the GUI, management tools have to be selected as part of the role installation. Are there whizzy PS commands that can be used to install management tools?

    Thanks again!

    • Add-WindowsFeature AD-Domain-Services,DHCP,DNS,FS-DFS-NameSpace,FS-DFS-Replication -includeAllSubFeature -IncludeManagementTools

      This command should have installed all the relevant tools.

      If not it is probably easier to go through the GUI in server manager.

      Alternativley you can use

      Get-WindowsFeature RSAT*

      You can view all the tools and their names, and below may be enough to install the tools.

      Add-WindowsFeature RSAT-ADDS,RSAT-DHCP,RSAT-DNS-Server -IncludeAllSubFeature

  2. Finally a great article on EFS recovery agent !!!!

  3. Muhammad says:

    Hey Rob can i ignore this EFS step and i am stuck migrating DHCP from SBS2011 to 2016 it throws errors !!! any help

Leave a reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: