Apparent contradiction in MS prep materials?

daltec

Hi guys I've run across what seems like a contradiction between what the MS-Press training book (2nd ed.) for the test says, and what the practice test included with the book says. I hope you all can help ease my confusion! I apologize in advance for the length of this post.

In the book's section on EFS (Ch. 10), one section states "By default, the recovery agent for a computer running Windows XP Professional in a workgroup is the administrator of the local computer."

However, a question in the practice exam states "You are configuring a user's computer to support EFS. The user telecommutes, so the computer is not a member of an AD domain. The computer is running XP Pro. You want to make the local Administrator account a Data Recovery Agent to ensure that files can be recovered even if the user deletes his EFS certificate or in the event that the user leaves the company. You have logged in as Administrator. What steps must you take to configure the user's computer?"

I selected the option that said "Do nothing. The local Administrator account is configured as the Data Recovery Agent on a standalone computer by default."

Which was marked wrong! The explanation being, "Under Windows 2000, the Administrator account was considered a recover agent by default on a standalone computer. This is not the case with XP Pro."

That sounds like a contradiction to me! But I would REALLY appreciate it if somebody would enlighten me, if I am misunderstanding the question. Thank you all very much in advance!

dynamik

By default, if a computer that is running Microsoft Windows 2000 Professional is a member of a workgroup or is a member of a Microsoft Windows NT 4.0 domain, the local administrator who first logs on to the computer is designated as the default recovery agent. By default, if a computer that is running Windows XP or Windows 2000 is a member of a Windows Server 2003 domain or a Windows 2000 domain, the built-in Administrator account on the first domain controller in the domain is designated as the default recovery agent.

Note that a computer that is running Windows XP and that is a member of a workgroup does not have a default recovery agent. You have to manually create a local recovery agent.

http://support.microsoft.com/kb/241201

Is this listed in the errata?

http://support.microsoft.com/kb/896743

daltec

Note that a computer that is running Windows XP and that is a member of a workgroup does not have a default recovery agent. You have to manually create a local recovery agent. [/quote]

http://support.microsoft.com/kb/241201

Is this listed in the errata?

http://support.microsoft.com/kb/896743[/quote]

Thanks a lot Dynamik, that jibes with the question in the practice test then -- the other three options had steps for configuring a recovery agent and creating keys. I'll make a note! I appreciate your help.

As for the errata, no it is not listed. The page in question is 10-87, the answer for question 5 of the Lesson 4 review. I reported it through their feedback form, don't know if that will help or not.

I went all through the main part of the chapter and my written notes, though, and it does not say anything about the local admin being the default recovery agent, so I guess the info on page 10-87 must have slipped in there!

Again, though, thanks for your time and for pointing me in the right direction. My test is this Saturday the 13th, it's my first exam, and this site has been a big help to me! Reading all of the "I passed!" comments is a nice moral support builder, too!

royal

XP workstation definitely does not have a default DRA. When you join the domain, you do have a default DRA. This is the Administrator account. When you first DCPromo a machine, an EFS Recovery Agent certificate is installed on this DC. So always back this up! This certificate is the certificate you would import on a domain machine when it can't decrypt data anymore. You can create additional DRAs by going into group policy and assigning/requesting an EFS Recovery Agent certificate which clients then acknowledge and assign that as an additional DRA.

The thing with XP is XP allows you to encrypt information without a DRA. Windows 2000 didn't allow you to hence why you need the DRA to be able to encrypt data.

Hope that helps.

daltec

royal wrote:

XP workstation definitely does not have a default DRA. When you join the domain, you do have a default DRA. This is the Administrator account. When you first DCPromo a machine, an EFS Recovery Agent certificate is installed on this DC. So always back this up! This certificate is the certificate you would import on a domain machine when it can't decrypt data anymore. You can create additional DRAs by going into group policy and assigning/requesting an EFS Recovery Agent certificate which clients then acknowledge and assign that as an additional DRA.

The thing with XP is XP allows you to encrypt information without a DRA. Windows 2000 didn't allow you to hence why you need the DRA to be able to encrypt data.

Hope that helps.

Hi Royal, thanks a lot! And yes that does help. But just to make sure I'm clear, which is the default Recovery Agent on domain machines? The book says "the Domain Admin," so can I take that to mean only the first domain admin account? And subsequent domain admin accounts (if any) would need to be set up as additional Recovery Agents? Just curious...

I just retook another practice exam, and that same question came up, and I got it wrong AGAIN! But this time, it was because of the steps involved in adding the new Recovery Agent.

LOL, back to the drawing board... thanks again!

royal

What I meant to say was the first DC you DCPromo in a domain will include this certificate on that DC. Any DC after that will not have this certificate. Hence the reason it is very important to back it up.

It's the first administrative account you login as. And this will be the Administrator account. So this Administrator account will be the default DRA. Domain Admin means nothing as a Domain Admin is a group, not a user. Administrator is the user account. And yes, subsequent Admins would need to be added as a DRA by doing it through Security > PKI section within Group Policy.

daltec

royal wrote:

What I meant to say was the first DC you DCPromo in a domain will include this certificate on that DC. Any DC after that will not have this certificate. Hence the reason it is very important to back it up.

Okay that makes a lot of sense.

royal wrote:

It's the first administrative account you login as. And this will be the Administrator account. So this Administrator account will be the default DRA. Domain Admin means nothing as a Domain Admin is a group, not a user. Administrator is the user account.

Ahh, right, of course.... not thinking clearly! Too much testing, I guess! We're getting a little snow outside right now, I think I'll take a break and go watch it for a while!

Thanks for the help Royal, that really makes it clear for me. I appreciate it!

royal

No problem. Another thing to note is that backing up that EFS key is not the only thing you should do. You should take that exported certificate and store it in a secure location and remove it off the 1st DC. If any rogue user that somehow gets access to that certificate/key, he/she literally can decrypt all company data throughout the entire organization if you have strong security policies and are using EFS as company policy.