Tuesday, January 22, 2013 8:16 AMDear All ,
We have a
physical standalone offline Root CA
enterprise Sub CA , online responders in a virtual environment.
Backup Strategies are as follows
On the Root CA
1- Log on as user who has CA administrator rights and should be a part of backup operators.
2- Create a folder under %Homedrive% called Backup.
3- Create a new text document under C:\scripts
4- Paste the following text:
Echo Backup Certification Authority, Certificates, Templates and CSP
Echo Y| del C:\backup\database
Echo Y| del c:\backup
Echo Backing up the Certification Authority and Certificates
certutil -backup –p <givepassword> c:\backup
Echo Backing up the registry keys
reg export HKLM\System\CurrentControlSet\Services\CertSvc\Configuration c:\backup\regkey.reg
Certutil –getreg CA\CSP > C:\Backup\CSP.txt
Echo Documenting all certificate templates published at the CA
Certutil –v -catemplates > C:\Backup\CATemplates.txt
For enterprise SUb CA and online responder - we're considering full VM backup using Veeam tool .
Is it recommended to perform a full VM backup or should it be just the config files and related data ? It's easy to perform a full VM backup - but the question is how consistent and reliable it is ?
Please share the best practices followed to backup Enterprise SUb CA & online responders in a virtual enviroment
Saturday, January 26, 2013 2:38 AMhi shaun, i recommend at minimum the script you have. because the script backup is much faster and smaller than a full backup you can run it more often. the full backup can complete your backup strategy. vmware and hyper-v allow the replication of VMs. some of my clients do a backup on the storage area network level. might those are options for your scenario as well. regards, lutz
- Marked As Answer by shaunsaravana Sunday, February 03, 2013 5:13 AM
Monday, January 28, 2013 7:51 AM
Thanks Lutz ,
But do we have any dependency that is linked with the actual VM ? that the backup VM will be incapable of providing
I restored the backup since then i'm getting this error (event id 66) while trying to publish CRLs (on the restored VM) to CDPs
Active Directory Certificate Services could not publish a Delta CRL for key 0 to the following location: file://\\exampleMEONRES2\examplemeonres\domain-exampleMESUBCA+.crl. Operation aborted 0x80004004 (-2147467260).
Active Directory Certificate Services could not publish a Delta CRL for key 0 to the following location: file://\\exampleMEONRES1\examplemeonres\domain-exampleMESUBCA+.crl. Operation aborted 0x80004004 (-2147467260).
Active Directory Certificate Services could not publish a Delta CRL for key 0 to the following location: C:\Windows\system32\CertSrv\CertEnroll\domain-exampleMESUBCA+.crl. Operation aborted 0x80004004 (-2147467260).
Active Directory Certificate Services could not publish a Base CRL for key 0 to the following location: file://\\exampleMEONRES2\examplemeonres\domain-exampleMESUBCA.crl. Access is denied. 0x80070005 (WIN32: 5).
I tired the resolutions provided by Microsoft here , couldn't fix . I tried publishing CRLs from actual VM (original) & restored VM , neither works
Is this associated with Virtual machine restoration ?
Monday, January 28, 2013 2:11 PM
the interesting point here is that you get a access denied for file://\\exampleMEONRES2\examplemeonres\domain-exampleMESUBCA.crl. You are saying that the CRL publication is not working for the original VM nor from the backup VM. (Btw: having 2 machine with the same name contacting AD, even not at the same time, can be confusing, because of the machine account password updates - Machine Account Password Process http://blogs.technet.com/b/askds/archive/2009/02/15/test2.aspx).
Have you assigned modify permissions on \\exampleMEONRES2\examplemeonres\ for the CA machine account?
- Proposed As Answer by LutzMH Thursday, January 31, 2013 2:15 PM
Thursday, January 31, 2013 1:42 PM
Hey Lutz ,
I verified permissions on security tab initially it was all good , then looked into share permissions (found the subca permissions missing) am clueless on how this happened .
Now it works
thanks for the help