Recently some users at a company using the EFS Encryption of their offline files for Windows 7 were not able to access their offline files anymore. We have to reset their offline cache for it to resync. This was due to the EFS certificate which is created by default when you create a new domain.

This article explains it – and outlines the process for renewing and replacing the certificate:

http://msmvps.com/blogs/alunj/archive/2007/03/24/efs-in-a-domain-expires-after-three-years.aspx

and here’s a more detailed explanation from the MS AD team themselves:

http://blogs.technet.com/b/askds/archive/2008/01/07/replacing-an-expired-dra-certificate.aspx

The steps are basically:

1. Export the current certificate to a PFX file (so that you have it in case you need to rollback).
2. Create a new certificate from the command line.
3. Remove the old certificate from the Default Domain Policy and import the new one.
4. Distribute the new certificate by doing a GP update.