You cannot remotely access encrypted files after you upgrade a Windows Server 2003 file server to Windows Server 2008

Consider the following scenario:

You have a Windows Server 2003-based file server. Or, you have a prerelease Windows Server 2008-based file server.
This file server hosts remotely encrypted files.
You upgrade this file server to Windows Server 2008.

In this scenario, when you try to access the remotely encrypted files, you receive the following error message:

Access Denied

This issue does not occur if a user has interactively logged on to the file server before the upgrade.

 

CAUSE

This issue occurs because special user profiles are not migrated when a Windows file server is upgraded to Windows Server 2008. Therefore, when you try to access the encrypted files, the upgraded file server does not recognize the special profile. Then, the upgraded file server creates a new profile that has new EFS encryption keys. These new keys differ from the original keys. Therefore, you cannot access the previously encrypted files.

When a user encrypts a file that is stored on a Windows file server, the actual encryption of the file occurs on the file server. A special user profile is created on the Windows Server 2003-based file server. This special user profile is used to create and store your Encrypting File System (EFS) encryption keys. Afterward, every time that a user accesses the encrypted files on the file server, this special profile is loaded on behalf of the user. The previously created encryption keys are used.

 

RESOLUTION

To resolve this problem please obtain the Post Upgrade EFS Recovery Tool from the Microsoft Download Center.

The following file is available for download from the Microsoft Download Center:

Download the Post Upgrade EFS Recovery Tool 1.0 package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=FD786261-D278-40DB-BAF8-70F42D786223)

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

The EFS Recovery Tool scans the Profiles directory on the upgraded server for unregistered accounts that have EFS keys. If any accounts are found, the tool creates new profiles and copies the EFS keys to these new profiles. The tool then archives the unregistered profiles into the ~efs.000 file.

How to run the EFS Recovery Tool

You must run this tool from an elevated command prompt on the server. There are two switches that you can run together with EfsUpgRecoverAccts.exe:

/D
Detect only. Scan for unregistered profiles to recover, but do not perform any recovery.
/R
Perform recovery.

The output is tab formatted. You can redirect the output to a file. For example, you can use the following command:

EfsUpgRecoverAccts /R > C:\Efsfix.log

The return code indicates the level of the issue that is encountered when you run the tool:

0: No warnings or errors reported.
1: Warning(s), please review the output.
2: Error(s), please review the output.
3+: A fatal error prevented the tool from completing.

 

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the “Applies to” section.

 


APPLIES TO
Windows Server 2008 Enterprise
Windows Server 2008 Standard
Windows Web Server 2008

——————————————–

Microsoft Knowledge Base Article

This article contents is Microsoft Copyrighted material.
Microsoft Corporation. All rights reserved. Terms of Use | Trademarks

 


You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

AddThis Social Bookmark Button

Leave a Reply

*
To prove that you're not a bot, enter this code
Anti-Spam Image