After you set up a CA, and the designated recovery agents have their certificates exported to CER files, set up the domainwide recovery policy. You do so by adding the recovery agents and their respective certificates to the default domain policy. The presence of the certificates in the Security Settings\Public Key Policies\Encrypted Data Recovery Agents container implicitly defines the domain recovery policy. Follow these steps to define the domain recovery policy:
Set up a CA and a Recovery Agents group and have the agents request certificates and then export them to CER files.
Collect the CER files into a common secure location on your local computer or on the domain controller.
Open the Default Domain Security Settings console by choosing Start O Programs O Administrative Tools O Domain Security Policy.
In the Default Domain Security Settings console, open to Public Key Policies in the left-hand pane.
Right-click the Encrypting File System folder in the right-hand pane and choose Add Data Recovery Agent from the pop-up menu, as shown in Figure 27-38, to start the Add Recovery Agent Wizard.
Follow the wizard's prompts to complete the installation. Repeat the process to add any additional certificates. (If the certificates are already published in AD, they are listed in the wizard. You can also browse to the folder containing the CER files.)
Was this article helpful?