ADMT - User Migration with SID History NT --> AD2003 -- EFS

Discussion in 'Server Migration' started by Antoine GOLIO, Aug 4, 2004.

  1. Hello,

    I have a big problem with EFS and User Migration Phase/ADMT.

    context : interforest Migration between NT4 objets and AD2003 Forest (native
    mode).

    Everything is OK during User Migration Phase (with SID History) and Computer
    Migration Phase ( with security translation objects / Replace Mode) : the
    user has access to its resources and the local user profile is OK.

    The only problem is that a domain user (no roaming profile) has encrypted
    some files (XP - EFS) before the Migration.
    And now he has an "acces denied" on encrypted files.

    I look at the following technet solution :
    http://www.microsoft.com/technet/community/columns/5min/5min-401.mspx but I
    didn't succeed in performing the Recovery Agent (local or domain).

    1st Question : ADMT does'nt migrate private key information during the
    migration phase?
    2nd Question : how to solve the problem?

    Thank you
     
    Antoine GOLIO, Aug 4, 2004
    #1
    1. Advertisements

  2. Hi Antoine,

    Thanks for your posting here.

    ADMT cannot touch the private keys used to encrypt EFS data. So the new
    migrated user cannot open the encrypted file. In general, we recommend that
    you perform the following solution during migration.

    1. Decrypt all data encrypted by users to be migrated, then re-encrypt the
    data using the newly migrated accounts in the target domain.

    2. Export all users's private keys prior to migration, then import them
    into the corresponding new account in the target domain.

    You need access to old profile where EFS secret (private key is stored) and
    you should know the old password of the user before migration.

    Based on current status, we *might* be able to use the "Reccerts.exe"
    utility to try to restore it. Please send a email to
    and I will send the tool to you.

    Best regards,
    Bob Qin
    Microsoft Online Partner Support

    Get Secure! - www.microsoft.com/security

    ====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    ====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Bob Qin [MSFT], Aug 5, 2004
    #2
    1. Advertisements

  3. Hi Bob,

    I send you a message by email with another source sender but you didn't
    respond me.
     
    Antoine GOLIO, Aug 10, 2004
    #3
  4. Hi Antoine,

    I did not get your email. Would you please copy the content in your post,
    so that we can discuss it here in the newsgroup?

    Thank you!

    Bob Qin
    Microsoft Online Partner Support

    Get Secure! - www.microsoft.com/security

    ====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    ====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Bob Qin [MSFT], Aug 10, 2004
    #4
  5. Hi Bob,

    Is there a way to obtain the Reccerts.exe utility?

    There is no problem to gain access to the old profile of the user (the
    local user profile has been translated during ADMT-Computer Phase
    Migration - Security Translation in Replace Mode).

    I enabled a domain EFS-Data Recovery Agent but it did'nt solve the problem.

    I tried to enable a local EFS-Data Recovery Agent (in a stand alone
    environment) but it did'nt solve the problem.
     
    Antoine GOLIO, Aug 10, 2004
    #5
  6. Hi Antoine,

    Is the mailbox available? If so, I will
    send the reccerts.exe file to you.

    Since the file was encrypted when the computer in Windows NT domain, there
    was not Recovery Agent at that time. After you move the computer to new
    domain, the new Recovery Agent cannot decrypt these file.

    Regards,
    Bob Qin
    Microsoft Online Partner Support

    Get Secure! - www.microsoft.com/security

    ====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    ====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Bob Qin [MSFT], Aug 11, 2004
    #6
  7. Hi Bob,

    my real mailbox is .
     
    Antoine GOLIO, Aug 11, 2004
    #7
  8. Hi Antoine,

    I have sent the tool to your mailbox.

    Regards,
    Bob Qin
    Microsoft Online Partner Support

    Get Secure! - www.microsoft.com/security

    ====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    ====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
    From: "Antoine GOLIO" <>
    Subject: Re: ADMT - User Migration with SID History NT -->
    AD2003 -- EFS
    Date: Wed, 11 Aug 2004 10:36:08 +0200
    Newsgroups: microsoft.public.windows.server.migration


    Hi Bob,

    my real mailbox is .


    "Bob Qin [MSFT]" <> a écrit dans le
    message de
    news: ...
     
    Bob Qin [MSFT], Aug 11, 2004
    #8
  9. Bob,

    I am sorry. You're tool has been intercepted by our antivirus/antispam
    server. It does'nt permit exe (even if renamed or zip).

    Could you please send me the tool to .

    Thank you for everything



     
    Antoine GOLIO, Aug 11, 2004
    #9
  10. Sent. Please check it.

    Regards,
    Bob Qin
    Microsoft Online Partner Support

    Get Secure! - www.microsoft.com/security

    ====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    ====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
    From: "Antoine GOLIO" <>
    References: <>
    Subject: Re: ADMT - User Migration with SID History NT --> AD2003 --
    EFS
    Date: Wed, 11 Aug 2004 12:35:04 +0200
    Newsgroups: microsoft.public.windows.server.migration


    Bob,

    I am sorry. You're tool has been intercepted by our
    antivirus/antispam
    server. It does'nt permit exe (even if renamed or zip).

    Could you please send me the tool to .

    Thank you for everything



    "Bob Qin [MSFT]" <> a écrit dans le
    message de
     
    Bob Qin [MSFT], Aug 11, 2004
    #10
  11. It works fine !!!

    Thank you very much.


     
    Antoine GOLIO, Aug 11, 2004
    #11
  12. My pleasure!

    Regards,
    Bob Qin
    Microsoft Online Partner Support

    Get Secure! - www.microsoft.com/security

    ====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    ====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
    From: "Antoine GOLIO" <>
    Subject: Re: ADMT - User Migration with SID History NT --> AD2003 --
    EFS
    Date: Wed, 11 Aug 2004 14:44:37 +0200
    Newsgroups: microsoft.public.windows.server.migration

    It works fine !!!

    Thank you very much.


    "Bob Qin [MSFT]" <> a écrit dans le
    message de
     
    Bob Qin [MSFT], Aug 12, 2004
    #12
  13. Hi Hesham,

    The utility named Reccerts.exe is available through Microsoft PSS for
    Windows XP. You can use this utility for cases where EFS data is
    unavailable after a re-installation of Windows XP or after a hardware
    failure where the EFS data and the encrypting user's profile is intact.
    Reccerts.exe migrates certificates from the old user profile to the current
    user profile. You must know the previous user password to use this utility.
    You can use this utility to recover all of the EFS files that would be
    otherwise lost.

    To obtain the phone numbers for specific technology request please take a
    look at the web site listed below.
    http://support.microsoft.com/default.aspx?scid=fh;EN-US;PHONENUMBERS

    If you are outside the US please see http://support.microsoft.com for
    regional support phone numbers.

    Hope it helps.

    Best regards,

    Vincent Xu
    Microsoft Online Partner Support

    Get Secure! - www.microsoft.com/security


    --------------------
     
    Vincent Xu [MSFT], Aug 22, 2005
    #13
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.