EFS and the domain

Discussion in 'MCSE' started by Nettransplant, Nov 28, 2003.

  1. So, if the administrator on the first DC in the domain is the default EFS
    recovery agent and
    my office grows to 5 DCs and 100 users with EFS folders all over the place
    for various reasons
    AND I demote the first DC because it is an old PC and tooooo slow
    Where does the EFS recovery keys go?
     
    Nettransplant, Nov 28, 2003
    #1
    1. Advertising

  2. Nettransplant

    Herb Martin Guest

    "Nettransplant" <> wrote in message
    news:RTCxb.510406$6C4.146363@pd7tw1no...
    > So, if the administrator on the first DC in the domain is the default EFS
    > recovery agent and
    > my office grows to 5 DCs and 100 users with EFS folders all over the place
    > for various reasons
    > AND I demote the first DC because it is an old PC and tooooo slow
    > Where does the EFS recovery keys go?


    It's not the "Adminstator on the first DC" but rather the "first
    Administrator
    on the Domain".

    DCs don't have local accounts (when operating as DCs), but rather the
    administrator
    is a domain account.

    (DCs do have a private SAM or local accounts database that is ONLY ACTIVE
    when they are booted into either the "Recovery Console" or in "Directory
    Services
    Restore mode". The admin account there has no domain privileges or
    responsibilities,
    except maintenance on the DC.)
    --
    Herb Martin
    >
    >
    >
     
    Herb Martin, Nov 28, 2003
    #2
    1. Advertising

  3. Thanks, clear now.

    "Herb Martin" <> wrote in message
    news:%...
    > "Nettransplant" <> wrote in message
    > news:RTCxb.510406$6C4.146363@pd7tw1no...
    > > So, if the administrator on the first DC in the domain is the default

    EFS
    > > recovery agent and
    > > my office grows to 5 DCs and 100 users with EFS folders all over the

    place
    > > for various reasons
    > > AND I demote the first DC because it is an old PC and tooooo slow
    > > Where does the EFS recovery keys go?

    >
    > It's not the "Adminstator on the first DC" but rather the "first
    > Administrator
    > on the Domain".
    >
    > DCs don't have local accounts (when operating as DCs), but rather the
    > administrator
    > is a domain account.
    >
    > (DCs do have a private SAM or local accounts database that is ONLY ACTIVE
    > when they are booted into either the "Recovery Console" or in "Directory
    > Services
    > Restore mode". The admin account there has no domain privileges or
    > responsibilities,
    > except maintenance on the DC.)
    > --
    > Herb Martin
    > >
    > >
    > >

    >
    >
     
    Nettransplant, Nov 29, 2003
    #3
  4. Nettransplant

    Herb Martin Guest

    BTW, Does everyone remember (all of) their DC "local admin passwords"?

    Good practice says this should NOT be the same as the Domain Admins,
    and probably shouldn't be the same on more than one DC.

    Since it is seldom used (if things go right), it is essential to REMEMBER
    the
    DC local password (or even write it down and lock it up.)

    --
    Herb Martin
    "Nettransplant" <> wrote in message
    news:aWVxb.518038$pl3.209492@pd7tw3no...
    > Thanks, clear now.
    >
    > "Herb Martin" <> wrote in message
    > news:%...
    > > "Nettransplant" <> wrote in message
    > > news:RTCxb.510406$6C4.146363@pd7tw1no...
    > > > So, if the administrator on the first DC in the domain is the default

    > EFS
    > > > recovery agent and
    > > > my office grows to 5 DCs and 100 users with EFS folders all over the

    > place
    > > > for various reasons
    > > > AND I demote the first DC because it is an old PC and tooooo slow
    > > > Where does the EFS recovery keys go?

    > >
    > > It's not the "Adminstator on the first DC" but rather the "first
    > > Administrator
    > > on the Domain".
    > >
    > > DCs don't have local accounts (when operating as DCs), but rather the
    > > administrator
    > > is a domain account.
    > >
    > > (DCs do have a private SAM or local accounts database that is ONLY

    ACTIVE
    > > when they are booted into either the "Recovery Console" or in "Directory
    > > Services
    > > Restore mode". The admin account there has no domain privileges or
    > > responsibilities,
    > > except maintenance on the DC.)
    > > --
    > > Herb Martin
    > > >
    > > >
    > > >

    > >
    > >

    >
    >
     
    Herb Martin, Nov 29, 2003
    #4
  5. Nettransplant

    Roger Abell Guest

    "Herb Martin" <> wrote in message
    news:...
    > BTW, Does everyone remember (all of) their DC "local admin passwords"?
    >
    > Good practice says this should NOT be the same as the Domain Admins,
    > and probably shouldn't be the same on more than one DC.
    >
    > Since it is seldom used (if things go right), it is essential to REMEMBER
    > the
    > DC local password (or even write it down and lock it up.)
    >
    > --
    > Herb Martin


    And I might add, the name the Adminsitrator account
    was renamed to be. Remember, local security policy
    does have an effect on this account in the local SAM.

    --
    Roger Abell
    Microsoft MVP (Windows Server System: Security)
    MCSE (W2k3,W2k,Nt4) MCDBA

    > "Nettransplant" <> wrote in message
    > news:aWVxb.518038$pl3.209492@pd7tw3no...
    > > Thanks, clear now.
    > >
    > > "Herb Martin" <> wrote in message
    > > news:%...
    > > > "Nettransplant" <> wrote in message
    > > > news:RTCxb.510406$6C4.146363@pd7tw1no...
    > > > > So, if the administrator on the first DC in the domain is the

    default
    > > EFS
    > > > > recovery agent and
    > > > > my office grows to 5 DCs and 100 users with EFS folders all over the

    > > place
    > > > > for various reasons
    > > > > AND I demote the first DC because it is an old PC and tooooo slow
    > > > > Where does the EFS recovery keys go?
    > > >
    > > > It's not the "Adminstator on the first DC" but rather the "first
    > > > Administrator
    > > > on the Domain".
    > > >
    > > > DCs don't have local accounts (when operating as DCs), but rather the
    > > > administrator
    > > > is a domain account.
    > > >
    > > > (DCs do have a private SAM or local accounts database that is ONLY

    > ACTIVE
    > > > when they are booted into either the "Recovery Console" or in

    "Directory
    > > > Services
    > > > Restore mode". The admin account there has no domain privileges or
    > > > responsibilities,
    > > > except maintenance on the DC.)
    > > > --
    > > > Herb Martin
    > > > >
    > > > >
    > > > >
    > > >
    > > >

    > >
    > >

    >
    >
     
    Roger Abell, Nov 30, 2003
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?TWFydGluYQ==?=

    EFS and SP2

    =?Utf-8?B?TWFydGluYQ==?=, Feb 28, 2005, in forum: Microsoft Certification
    Replies:
    2
    Views:
    548
    Jupiter Jones [MVP]
    Mar 5, 2005
  2. Barry Watzman

    EFS Question

    Barry Watzman, Apr 12, 2005, in forum: Microsoft Certification
    Replies:
    0
    Views:
    517
    Barry Watzman
    Apr 12, 2005
  3. Bay

    EFS security

    Bay, Oct 21, 2003, in forum: MCSE
    Replies:
    9
    Views:
    1,647
    Laura A. Robinson
    Oct 21, 2003
  4. =?Utf-8?B?bTByaw==?=

    EFS

    =?Utf-8?B?bTByaw==?=, Mar 1, 2006, in forum: MCSE
    Replies:
    48
    Views:
    2,463
    Rowdy Yates
    Mar 3, 2006
  5. Limited Wisdom
    Replies:
    7
    Views:
    787
    Jonathan Roberts
    Sep 13, 2006
Loading...

Share This Page