Disaster Recovery Procedures for Active Directory Certificate Services (ADCS)

re: Disaster Recovery Procedures for Active Directory Certificate Services (ADCS)

Amerk [MSFT] — Wed, 17 Oct 2012 22:46:07 GMT

Hi Auro,

You need to modify the registry key if you restored the CA to a different computer name, and re-acl the CA's objects in Active Directory to make sure the CA can publish its CRL files. Step 12 in the article you referenced mentions you need to edit the registry keys.

It is much simpler to restore the system to the same computer name.

re: Disaster Recovery Procedures for Active Directory Certificate Services (ADCS)

Auro_vg — Wed, 17 Oct 2012 11:45:50 GMT

Hello AmerK,

Can you please verify the following two points ?

"The new server must have the same computer name as the old server. Furthermore, it should have the same Operating System of the failed server"

But, technet.microsoft.com/.../cc755153(v=ws.10).aspx did not saying anything about this.

- As far my testing in lab am able to switch platforms and OS versions.

- I have changed target server name and restore PKI pvt. Key and DB - this gives me an option to fall back to original server by modifying dNSHostName attribute.

what is your view ?

Thanks

Auro

re: Disaster Recovery Procedures for Active Directory Certificate Services (ADCS)

Terry — Wed, 16 May 2012 07:42:01 GMT

Hi Amerk,

Is the backup script worked for "Standalone root CA"?

I try to perform "Certutil –catemplates > C:\Backup\CATemplates.txt". However, it returned the error.

Regards,

Terry

re: Disaster Recovery Procedures for Active Directory Certificate Services (ADCS)

GregM — Wed, 30 Nov 2011 21:12:53 GMT

Amerk

Thanks for the quick response. That's the beauty of virtualization!

Thanks much!

Regards,

Greg

re: Disaster Recovery Procedures for Active Directory Certificate Services (ADCS)

Amerk [MSFT] — Wed, 30 Nov 2011 20:52:41 GMT

Greg,

You can archive the Private Key of the CA using Certutil -backupkey option and then use System State for your regular backup. One thing to keep in mind here, System State is hardware dependent, so you need to make sure you are restoring the CA on similar hardware

re: Disaster Recovery Procedures for Active Directory Certificate Services (ADCS)

GregM — Wed, 30 Nov 2011 20:12:57 GMT

Can't I just archive the private key from my Enterprise CA and use System State to back up the CA going forward? I'd imagine that, after a restore of system-state (after a failure), I'd then have to import the private key but that shouldn't be a problem, right?

Thanks for a great guide!

re: Disaster Recovery Procedures for Active Directory Certificate Services (ADCS)

Amerk [MSFT] — Mon, 03 Oct 2011 18:26:32 GMT

This blog is up to date and applies to Windows Server 2008 and 2008 R2.

re: Disaster Recovery Procedures for Active Directory Certificate Services (ADCS)

eax — Wed, 14 Sep 2011 13:53:41 GMT

Hello,

are there any windows updates that the private keys will store in future (2008 R) in the systemstate backup or is this block up to date what the backup of private keys belongs?

i have done the points, i wonder that the Database Directory has 17 MB, after a new run 18 MB.

every backup i made the database directory grow about 1 MB.

Why?

Regards Eax

re: Disaster Recovery Procedures for Active Directory Certificate Services (ADCS)

Amerk [MSFT] — Tue, 19 Apr 2011 16:40:40 GMT

Yes, you can use the same script to backup a 2003 CA

re: Disaster Recovery Procedures for Active Directory Certificate Services (ADCS)

Laljeev Madanamma — Tue, 19 Apr 2011 07:46:33 GMT

Thanks for the post. Shall I use the same script to backup my Windows 2003 CA

Regards

LMS