Discussion:
Recovery policy contains invalid recovery cert
(too old to reply)
Wayne
2006-07-28 16:59:02 UTC
Permalink
I am trying to encrypt files on a Windows XP desktop in my Windows 2003
domain. I get an error "Recovery policy configured for this system contains
invalid recovery certificate."

I have checked the domain policy and the Administrator's certificate has
expired. In additon the original (first) domain controller was decomissioned
a while ago. As such the certificate can not be renewed. The new (and only)
enterprise CA is on the DC that replaced the original one.

I have went into the default domain policy and created a new recovery agent.
I have also configured it to automatically renew the certificates. However
I still get this error. I have run gpupdate /force on both the DC and the
workstation. I have also rebooted the workstation and got a new EFS cert for
the user from the CA.

I still get that error message. How do I fix this.
Steven L Umbach
2006-07-28 18:00:06 UTC
Permalink
Did you import the new valid certificate into the Group Policy and remove
the old one from Group Policy ?? Check the valid dates on the one that is
current shown in your GP. Also check your other Group Policies to see if you
have more than one configured to use the old certificate. I don't believe
RSOP will show the applying GPO for that particular setting.

Steve
Post by Wayne
I am trying to encrypt files on a Windows XP desktop in my Windows 2003
domain. I get an error "Recovery policy configured for this system contains
invalid recovery certificate."
I have checked the domain policy and the Administrator's certificate has
expired. In additon the original (first) domain controller was decomissioned
a while ago. As such the certificate can not be renewed. The new (and only)
enterprise CA is on the DC that replaced the original one.
I have went into the default domain policy and created a new recovery agent.
I have also configured it to automatically renew the certificates.
However
I still get this error. I have run gpupdate /force on both the DC and the
workstation. I have also rebooted the workstation and got a new EFS cert for
the user from the CA.
I still get that error message. How do I fix this.
Wayne
2006-08-03 12:39:01 UTC
Permalink
Removing the old one and creating a new recovery agent in policy worked. For
a day or two. Now I can't encrypt (on a different machine in the domain)
with the original user or a different one.

I get the same error message
Post by Steven L Umbach
Did you import the new valid certificate into the Group Policy and remove
the old one from Group Policy ?? Check the valid dates on the one that is
current shown in your GP. Also check your other Group Policies to see if you
have more than one configured to use the old certificate. I don't believe
RSOP will show the applying GPO for that particular setting.
Steve
Post by Wayne
I am trying to encrypt files on a Windows XP desktop in my Windows 2003
domain. I get an error "Recovery policy configured for this system contains
invalid recovery certificate."
I have checked the domain policy and the Administrator's certificate has
expired. In additon the original (first) domain controller was decomissioned
a while ago. As such the certificate can not be renewed. The new (and only)
enterprise CA is on the DC that replaced the original one.
I have went into the default domain policy and created a new recovery agent.
I have also configured it to automatically renew the certificates.
However
I still get this error. I have run gpupdate /force on both the DC and the
workstation. I have also rebooted the workstation and got a new EFS cert for
the user from the CA.
I still get that error message. How do I fix this.
Loading...