To enable a remote Windows Server 2003 server for EFS file encryption, you need to right-click the remote server in Active Directory Users and Computers, select Properties, select the Delegation tab, and enable the Trust this computer for delegation to specified services only option. At least, these are the steps you should follow according to http://technet2.microsoft.com/windowsserver/en/library/3eaa0062-4759-4b3e-bb7d-c2531e7452b91033.mspx?mfr=true.
The other day an IT guy I know tried to do this but when he opened the properties of the remote server in ADUC, there was no Delegation tab! Why? Because he hadn’t raised his domain yet to Windows Server 2003 domain functional level.
Moral: Those “smart” properties sheets, which add or remove tabs based on other configuration settings, can be confusing! Plus you can’t always trust the documentation because sometimes it assumes things. Oh well.
Mitch Tulloch is lead author for the Windows Vista Resource Kit from Microsoft Press, which is THE book for IT pros who want to deploy, maintain and support Windows Vista in mid- and large-sized network environments. Mitch is also the author of Introducing Windows Server 2008, the first book from Microsoft Press about the exciting new server platform. For more information on these and other books written by Mitch, see www.mtit.com.