SBS 2011 How To Backup Your EFS Recovery Agent Certificate

Backup your EFS what? That is the reaction I have had from most people I mentioned this to.

I am working on a document to walk through migrating Active Directory from SBS 2011 to Windows Server 2016. As part of that document I wanted to include backing up the EFS Recovery Agent Certificate. Only I couldn’t because on my SBS Server, something had broken.

First off, a bit of background. If you don’t know, EFS is the Encrypted File System that is built into Windows. It allows anyone to encrypt a file.

The encryption is done using digital certificates, and as part of that process, Windows assigns something called a Data Recovery Agent (DRA).

In most cases a DRA will be the Administrator. On a Workgroup PC, the Local Administrator.

In a Domain environment, it is specified in the EFS Policy, which is part of the Default Domain Policy. and by default it is the BuiltIn Administrator.

I don’t want to get too bogged down in how EFS works because there is plenty of better documentation out there on TechNet and other places. However there are some crucial pieces of information I want to touch on.

Firstly, you may know a digital certificate is made up of two keys, a public key and a private key. The private key, in this case is stored in a folder inside the users profile in C:\Users\<user>\AppData\Roaming\Microsoft\Crypto\RSA

Inside this RSA folder you will find a folder named after the SID of the user in question.

RSA

Inside this folder are all the private keys for the certificates the user holds.

Second, these keys are all themselves encrypted.

Thirdly, the Default Domain Policy lists only the public key of the DRA Certificate. This is to ensure that all domain PCs are protected by the same DRA. This is the EFS Recovery Policy

Lastly, the private key of the DRA certificate for your domain, is only available on the First Domain Controller in the domain.

In this example we can see the properties of an Encrypted file. Note the users certificate thumbprint, and the DRA certificate thumbprint.

File

So if you migrated your SBS from an earlier version, you would not find this on your SBS, but on the previous DC. In the case of a Domain that started on 2000 and moved to 2011 you would need to look on that 2000 server to find the key.

From reading that last paragraph you will no doubt already have an idea about whether or not you can recover your key. If you can’t, we can create a new DRA however any files already encrypted would likely be unrecoverable. More about that in a moment.

If your SBS 2011 was a clean install, you will need to first Enable the Built-in Administrator account.

In ADUC go to Users, right click Administrator, click on Enable. Do not Change the Password.

AD

If you do not know the password, it will be set to the same as the Password created for your SBS admin account when you installed the Server.

This is where things got tricky for me. As I said above, the Private Key is encrypted. It is encrypted with the Password of the User Account, at the time the file is created. If the Password is any other value, your account cannot decrypt the key or use the certificate.

It doesn’t matter if the Password has been changed 100 times since install and now, as long as you can change it back to the exact value it was when the SBS was installed, you won’t have a problem.

Now connect to the SBS and logon as the Administrator account.

Open an MMC, and the Certificates snapin, for the My User object.

MMC Cert

Expand Personal, Certificates.

You will see a Certificate, issued by Administrator for File Recovery. This is what we want!

cert snap

Right click, go to all tasks and export.

Follow the Certificate Export Wizard, being sure to Export the Private Key.

Cert Export

If you see the option to Export the Private Key is greyed out, then your Administrator account Password does not match the value when the Server was installed.

cert no like

Assuming your export was successful, you can log off and disable the Administrator account again.

Next we can import that Certificate into our SBS Admin user profile to allow us to unencrypt any files that have previously been encrypted using EFS, we can also make sure to store the PFX file with the private key safely somewhere so we don’t lose it again.

To import the certificate, simply follow the same instructions but choose import not export. Also chose to mark the private key as exportable so you can back it up later. You can also consider using Strong Private Key protection, or simply not importing the certificate again until it is required.

can export

Now, if you do not know the password or, the SBS was migrated you probably wont be able to recover this key.

It is not a disaster, unless you need to use the DRA. and the circumstances that would lead to that can be quite convoluted, but as an example lets assume User A encrypts a file and loses their private key. That could be because they moved PCs, changed their password or left the organisation.

That file would be lost unless you can recover their private key. This scenario is why the DRA exists, an account designated as a DRA would be able to decrypt that file.

unencrypted

What to do next?

If you recovered your Private Key you can probably stick as is, the self generated key is valid for 100 years.

If you didn’t, We can add a new DRA to the Default Domain Policy to try and avoid any future issues.

You can also disable the use of EFS, but I don’t really want to advocate for that!

Open up Group Policy Management, Find the Default Domain Policy.

Right click that and go to Edit.

Expand Computer Configuration > Policies> Windows Settings > Security Settings > Public Key Policies

Find Encrypted File System. In the details pane you will see the existing certificate.

DRA Policy

Right click the details pane, and click New > Create Data Recovery Agent.

create dra

A new DRA is added to the policy, for the account you are logged on with.

dra issues 2

If we go back to the Certificates MMC for the SBS Admin we can see our new EFS Recovery

dra issued

We can now export and safely store this certificate.

About Robert Pearman
Robert Pearman is a UK based Small Business Server enthusiast. He has been working within the SMB IT Industry for what feels like forever. Robert likes Piña colada and taking walks in the rain, on occasion he also enjoys writing about Small Business Technology like Windows Server Essentials or more recently writing PowerShell Scripts. If you're in trouble, and you can find him, maybe you can ask him a question.

15 Responses to SBS 2011 How To Backup Your EFS Recovery Agent Certificate

  1. David Moen says:

    Excellent resource for the rest of us Robert! Thanks very much for taking the time to put this info up! Once question for you though. After installing a new server into an SBS2011 network using your instructions, my new Server 2016 DC has no management tools for DNS, DHCP or AD. I know that if these roles are installed using the GUI, management tools have to be selected as part of the role installation. Are there whizzy PS commands that can be used to install management tools?

    Thanks again!

    • Add-WindowsFeature AD-Domain-Services,DHCP,DNS,FS-DFS-NameSpace,FS-DFS-Replication -includeAllSubFeature -IncludeManagementTools

      This command should have installed all the relevant tools.

      If not it is probably easier to go through the GUI in server manager.

      Alternativley you can use

      Get-WindowsFeature RSAT*

      You can view all the tools and their names, and below may be enough to install the tools.

      Add-WindowsFeature RSAT-ADDS,RSAT-DHCP,RSAT-DNS-Server -IncludeAllSubFeature

  2. Finally a great article on EFS recovery agent !!!!

  3. Muhammad says:

    Hey Rob can i ignore this EFS step and i am stuck migrating DHCP from SBS2011 to 2016 it throws errors !!! any help

  4. clau says:

    Hello Rob, the SBS has as DRA the builtin Administrator account. There are some files that are EFS encrypted.
    When I try to robocopy them with backup switch or even copy or see them they give me Access Denied. When I open the properties of the file, on details on Encrypts data… the builtin account figures as recovery agent by recovery policies. Here, it also does not appear any new DRA agent that I create in GPO and shows in user Personal certificates.
    Also I have rights for that file. When trying to add a new DRA it says that I need rights to that file and Read and Write… but I have full..
    Any importance if the certificate used by that user to encrypt the files has expired?…
    Thank you in advance.

    • Expiration would mean they could not encrypt new files with it, they should be able to decrypt this one.
      You can’t add a new DRA without the previous DRA certificate iirc.

      • clau says:

        Thank you for your time and answer. This is good they can access it I wonder why they encrypted it in the first place being a Shared location…ehhh.
        So, me as builtin Administrator I cannot add a new DRA to those files because…? more, why I cannot access those files with the builtin Admin (assuming that the pass from SBS installation did not change…)?

        Thank you again for your time hope you enjoy your week-end. :)

      • Check your certificates mmc, do you have the certificate to recover them?

      • clau says:

        Thank you Rob again. Of course… I did both things with cipher /r and importing it manually in Domain GPO then locally and I generated one in Create DRA in GPO Policy keys…
        but in both cases nothing shows up when going to the Properties => Encryption of the files only the one that was created by default in 2012… and that one didn’t work (maybe because the pass for the Administrator has changed in between…?)
        I am stuck… but thank you a lot again… :)

      • You need to find out when the DRA certificate was issued.

        Let’s say your domaine was brand need in 2005. A DRA Agent is created. Let’s also say the cert is valid for 5 years (random figures and dates).

        If a user encrypts a file any time between 2005 and 2010 that DRA agent is used, regardless of wether you have the DRA certificate. If you then generate a new DRA agent certificate in 2011 it is only valid in files encrypted after that date. It cannot be used to recover files from 2010 or earlier.

      • clau says:

        Thank you Rob. The DRA shows 2112 so I estimate it was released on 2012. So, theoretically it should be able to decrypt it… but not. Maybe the admin password has been changed?… other ideas?… thank you again for your time.

      • Only if it is listed as the DRA agent in the file properties.

  5. Nick Mehlert says:

    Hi Rob, I am an IT Sys Admin who inherited our SBS2011 PDC a couple years ago. Since then and from what I gather the previous IT Admin changed the original administrator password a few times, so the private key is apparently not available. I am trying to decrypt a ton of files found deep in our file server that are historically important, however with no private key and only the cert are these files forever lost? And are my only options are to try and find out the original administrator password (not happening), or have the encrypting user try and remember old passwords to match with the user private key? Appreciate this article! Very informative.

Leave a Reply to Muhammad Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: