Chapter 6, “EFS Basics,” detailed the basics of EFS and warned of the problems that damaged and missing private EFS keys can cause. One way to mitigate this risk is to use PKI to replace the use of self-signed EFS certificates with CA-provided EFS certificates and to provide multiple recovery agents. This can be implemented in either a Win- dows 2000 CA PKI or a Windows Server 2003 PKI. However, in a Windows Server 2003 forest in Windows Server 2003 functional mode, a Windows Server 2003 Enterprise Edition Enterprise CA can also be used to establish key archival. The following steps must be taken:
Create a EFS Key Recovery Agent custom template.
Create a new Windows group, EFS Key Recovery ...