Implement Windows' Encrypting File System

The first question to ask yourself when looking at deploying EFS is whether or not to integrate it with a Microsoft Public Key Infrastructure (PKI). This is a fundamental question that should be determined before moving forward. EFS does not require a PKI, but it does provide for EFS key recovery and makes it much easier to share encrypted files with other users because users' EFS public keys can be automatically published to Active Directory (AD). Assuming that you are going to build a PKI or you already have one follow the steps here to configure your PKI for EFS.

Whether or not you decide to use a PKI, it is a good idea to create at least one new Data Recovery Agent (DRA) key pair. By default, your Default Domain Policy will use the Administrator account from the first Domain Controller created on your domain as the DRA. This has several disadvantages. First, this DRA will expire after a few years. Second, if you ever decommission the original Domain Controller the DRA private key will be lost (assuming you don't export it first).