Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
Enterprise Sub CA backup / restore in Virtul environment

Answered Enterprise Sub CA backup / restore in Virtul environment

  • Tuesday, January 22, 2013 8:16 AM
     
     
    Sign In to Vote
    0
    Dear All ,

    We have a

    physical standalone offline Root CA

    enterprise Sub CA , online responders in a virtual environment.

    Backup Strategies are as follows

    On the Root CA

    #####################


    1-      Log on as user who has CA administrator rights and should be a part of backup operators.
    2-      Create a folder under %Homedrive% called Backup.
    3-      Create a new text document under C:\scripts
    4-      Paste the following text:

    Echo Backup Certification Authority, Certificates, Templates and CSP
    c:
    cd \scripts
    Echo Y| del C:\backup\database
    rd C:\backup\database
    Echo Y| del c:\backup
    Echo Backing up the Certification Authority and Certificates
    certutil -backup –p <givepassword> c:\backup
    Echo Backing up the registry keys
    reg export HKLM\System\CurrentControlSet\Services\CertSvc\Configuration c:\backup\regkey.reg
     Certutil –getreg CA\CSP > C:\Backup\CSP.txt
    Echo Documenting all certificate templates published at the CA
    Certutil –v  -catemplates > C:\Backup\CATemplates.txt

    #########################################

    For enterprise SUb CA and online responder - we're considering full VM backup using Veeam tool .

    Is it recommended to perform a full VM backup or should it be just the config files and related data ? It's easy to perform a full VM backup - but the question is how consistent  and reliable it is ?

    Please share the best practices followed to backup Enterprise SUb CA & online responders in a virtual enviroment

    Thanks

    Shaun
     

All Replies

  • Saturday, January 26, 2013 2:38 AM
     
     Answered
    Sign In to Vote
    0
    hi shaun, i recommend at minimum the script you have. because the script backup is much faster and smaller than a full backup you can run it more often. the full backup can complete your backup strategy. vmware and hyper-v allow the replication of VMs. some of my clients do a backup on the storage area network level. might those are options for your scenario as well. regards, lutz
    • Marked As Answer by shaunsaravana Sunday, February 03, 2013 5:13 AM
    •  
     
  • Monday, January 28, 2013 7:51 AM
     
     
    Sign In to Vote
    0

    Thanks Lutz ,

     

    But do we have any dependency that is  linked with the actual VM ? that the backup VM will be  incapable of providing

    I restored the backup since then i'm getting this error (event id 66) while trying to publish CRLs (on the restored VM)  to CDPs


    Active Directory Certificate Services could not publish a Delta CRL for key 0 to the following location: file://\\exampleMEONRES2\examplemeonres\domain-exampleMESUBCA+.crl.  Operation aborted 0x80004004 (-2147467260).

    Active Directory Certificate Services could not publish a Delta CRL for key 0 to the following location: file://\\exampleMEONRES1\examplemeonres\domain-exampleMESUBCA+.crl.  Operation aborted 0x80004004 (-2147467260).


    Active Directory Certificate Services could not publish a Delta CRL for key 0 to the following location: C:\Windows\system32\CertSrv\CertEnroll\domain-exampleMESUBCA+.crl.  Operation aborted 0x80004004 (-2147467260).

    Active Directory Certificate Services could not publish a Base CRL for key 0 to the following location: file://\\exampleMEONRES2\examplemeonres\domain-exampleMESUBCA.crl.  Access is denied. 0x80070005 (WIN32: 5).

    I tired the resolutions provided by Microsoft here , couldn't fix . I  tried publishing CRLs from actual VM (original) & restored VM , neither works

    Is this associated with Virtual machine restoration  ?

    kindly assist

    regards

    Shaun

     
  • Monday, January 28, 2013 2:11 PM
     
     Proposed
    Sign In to Vote
    0

    Hi Shaun,

    the interesting point here is that you get a access denied for file://\\exampleMEONRES2\examplemeonres\domain-exampleMESUBCA.crl. You are saying that the CRL publication is not working for the original VM nor from the backup VM. (Btw: having 2 machine with the same name contacting AD, even not at the same time, can be confusing, because of the machine account password updates - Machine Account Password Process http://blogs.technet.com/b/askds/archive/2009/02/15/test2.aspx).

    Have you assigned modify permissions on \\exampleMEONRES2\examplemeonres\ for the CA machine account?

    Thank you,

    Lutz


    • Proposed As Answer by LutzMH Thursday, January 31, 2013 2:15 PM
    •  
     
  • Thursday, January 31, 2013 1:42 PM
     
     
    Sign In to Vote
    0

    Hey Lutz ,

    I verified permissions on security tab initially it was all good  , then looked into share permissions (found the subca permissions missing) am clueless on how this happened .

    Now it works

    thanks for the help

    regards

    Shaun