Your network consists of a single Active Directory domain. You have a Windows 7 computer named Computer1 and another Windows 7 computer named Computer2. From Computer1, you can recover all Encrypting File System (EFS) encrypted files for users in the domain (Computer1 holds the EFS data recovery agent keys). You need to ensure that you can also recover all EFS encrypted files from Computer2. What should you do?

Introduction / Context:
Encrypting File System (EFS) allows users to encrypt files on NTFS volumes in Windows. To prevent permanent data loss, organizations typically designate a data recovery agent (DRA) whose certificate and private key can decrypt any EFS encrypted file in the domain. In this scenario, Computer1 already has the DRA certificate and can recover EFS files. You now want Computer2 to have the same recovery capability.

Given Data / Assumptions:

• Both Computer1 and Computer2 run Windows 7 and are joined to the same Active Directory domain.
• Computer1 is configured with a data recovery agent certificate that can decrypt any EFS encrypted file for domain users.
• You need Computer2 to also be able to recover all EFS encrypted files.
• You want a supported, secure method that preserves the DRA role.

Concept / Approach:
EFS recovery relies on public key certificates. The DRA certificate and its associated private key must be available on any system that should be able to perform recovery. To extend recovery capability to Computer2, you export the DRA certificate (including the private key) from Computer1 to a secure file, then import it into Computer2. Tools like Secedit or Cipher.exe manage security templates and EFS users but do not specifically transfer the DRA certificate in the way required here.

Step-by-Step Solution:
1. Confirm that the ability to recover all EFS files is provided by a data recovery agent certificate stored on Computer1. 2. Identify that to grant the same ability to Computer2, you must make the same DRA certificate and private key available on that computer. 3. Use the Certificates snap in or the command line to export the DRA certificate from Computer1, ensuring that you include the private key and protect the export with a strong password. 4. On Computer2, import this DRA certificate into the appropriate certificate store so that EFS can use it to decrypt files. 5. Once imported, test by attempting to open an EFS encrypted file from Computer2; if successful, the migration was done correctly.

Verification / Alternative check:
EFS encryption uses one or more certificates: the user's EFS certificate and any configured data recovery agent certificates. When an EFS file is created, the file encryption key is itself encrypted with each relevant public key, including the DRA key. As long as Computer2 has the DRA's private key, it can decrypt the file encryption key and thus the file content. Simply copying security templates or running Cipher without dealing with the DRA certificate would not make Computer2 a recovery agent, confirming that exporting and importing the DRA certificate is the correct approach.

Why Other Options Are Wrong:
Option b, backing up %systemroot%\\DigitalLocker, is not the standard or reliable method for transferring DRA keys across computers. Option c, using Secedit.exe, deals primarily with security templates and policy settings rather than the specific certificate and private key needed for EFS recovery. Option d, using Cipher.exe with /removeuser or /adduser, manages individual EFS users on specific files, not the domain DRA configuration, and does not transfer the DRA private key between machines.

Common Pitfalls:
A major pitfall in EFS deployments is failing to back up the data recovery agent certificate and private key. If the original DRA keys are lost, you may permanently lose access to encrypted files. Another mistake is assuming that simply being a domain administrator automatically grants EFS recovery capability; in reality, only accounts with the correct certificates can act as DRAs.

Final Answer:
You should export the EFS data recovery agent certificate and private key from Computer1 and then import that data recovery agent certificate on Computer2.