Home > Articles > Operating Systems, Server > Microsoft Servers

  • Print
  • + Share This

Create Additional DRAs at the Domain and OU Levels

It is good practice to create additional DRAs before you commence your EFS deployment. This ensures that you have several accounts that can recover files.

Because Active Directory relies on organizational units (OUs) to divvy up administrative responsibility, it makes sense to assign at least one DRA to each OU that contains a user who will be encrypting files. This DRA will have recovery responsibility for users in that OU but will not be capable of recovering files created on computers in other OUs.


The Encrypted Data Recovery Agent policy is a machine (computer) policy, so it is downloaded when the computer (note the user) logs onto the domain. A user from OU Phoenix who encrypts a file while sitting at a desktop in OU Houston will get the Houston DRA, not the Phoenix DRA.

EFS is coded to issue self-signed certificates only to EFS users and default DRAs. It is not capable of issuing certificates to additional DRAs. You must first install a Certificate Authority server and then use that server to obtain your certificates. Deploying and managing a Certificate Authority can be complex. If you don't mind a little self-advertising, you can find the steps along with a detailed discussion of EFS certificates in my book, Inside Windows 2000 Server, from New Riders Publishing.

After you've created the file recovery certificates for the alternate DRAs, create a new Group Policy object (GPO) for the associated OU, and use it to import the certificate into the Encrypted Data Recovery Agent policy.

  • + Share This
  • 🔖 Save To Your Account

Related Resources

There are currently no related titles. Please check back later.