Encrypted File System (EFS) certificate and Group Policy issue

yesterday, users had problems opening/saving/modifying encrypted files.  found out efs certificate our pki had expired day before.  followed instructions @ http://support.microsoft.com/kb/937536 create new certificate given out group policy.  users issue resolved after doing gpupdate /force.  small number of users (5-10%) had ongoing issues files being read-only , other certificte related issues.  resolved rebooting machine (a couple of times).  1 strange thing new certificate valid 100 years (!!)

today, many more users still reporting issues permissions/read-only etc in efs protected folders.  suspect there issue replication between our 2 domain controllers dc01 , dc02 sysvol/policies folder has 10 policies on 1 dc , 7 on other - assume content should identical.
see no errors in replmon.

dcs - windows server 2008  sp1    clients - xp - w7

any appreciated, particularly:
- did take correct action when fixing certificate?
- why new cert 100 years?
- right in suspecting group policy , how fix issue users.

if more info required, let me know , i'll happy provide.

issue resolved (almost).

after lot of troubleshooting using gpotool (giving errors) and repadmin (working fine),  i found error 13568 in file replication service log in server 2008.  gave me solution resolving file replication issue (copied below).

this didn't fix gpotool errors did stop journal wrap errors.  considered running dcgpofix tool fix default gpos elected instead make a minor change each of our gpos.  i forced replication using repadmin /syncall /aped.  resolved of errors on gpotool.  importantly, size of sysvol/policy folders became identical on both dcs.  unfortunately replicated wrong way old expired certificate overwrote new one.  followed instructions in link in first post , recreated certificate.  appears have solved efs issues users (after reboot or gpupdate /force on client).

still have sysvol mismatch error i'll @ point far users concerned, well.

-------------------------------------------

the file replication service has detected replica set "domain system volume (sysvol share)" in jrnl_wrap_error.

 

replica set name : "domain system volume (sysvol share)"

replica root path : "c:\windows\sysvol\domain"

replica root volume : "\\.\c:"

a replica set hits jrnl_wrap_error when record trying read ntfs usn journal not found. can occur because of 1 of following reasons.

 

[1] volume "\\.\c:" has been formatted.

[2] ntfs usn journal on volume "\\.\c:" has been deleted.

[3] ntfs usn journal on volume "\\.\c:" has been truncated. chkdsk can truncate journal if finds corrupt entries @ end of journal.

[4] file replication service not running on computer long time.

[5] file replication service not keep rate of disk io activity on "\\.\c:".

setting "enable journal wrap automatic restore" registry parameter 1 cause following recovery steps taken automatically recover error state.

[1] @ first poll, occur in 5 minutes, computer deleted replica set. if not want wait 5 minutes, run "net stop ntfrs" followed "net start ntfrs" restart file replication service.

[2] @ poll following deletion computer re-added replica set. re-addition trigger full tree sync replica set.

 

warning: during recovery process data in replica tree may unavailable. should reset registry parameter described above 0 prevent automatic recovery making data unexpectedly unavailable if error condition occurs again.

 

to change registry parameter, run regedit.

 

click on start, run , type regedit.

 

expand hkey_local_machine.

click down key path:

"system\currentcontrolset\services\ntfrs\parameters"

double click on value name

"enable journal wrap automatic restore"

and update value.

 

if value name not present may add new->dword value function under edit menu item. type value name shown above.

Windows Server  >  Security