CA Backup and restore

TBMK (Tim Blohm Kühnell) 41 Reputation points
2021-01-21T20:54:02.733+00:00

Hello,

I consider backup and D/R-options for my 2 Win2016-issuing CAs. I understand that if I lose a database and log file location, and the ADCS service cannot start, already enrolled certificates will still work assuming AIA/CDP paths are still valid?

1) I must restore back to the last backup to have the ADCS to start in order to enroll new certificates?

I assume, that the database is dirty shutdown.

2) Will the normal Jet DB recovery process appending required transactions take place?
3) What is the impact of the data loss - that is enrolled and revoked certificates and also key archival since last backup are not known by the CA.

I will of course propose the customer to have the CAs configured with separate database and log file paths, on separate disks than the system disk.

Windows for business | Windows Server | Devices and deployment | Configure application groups
{count} votes

Accepted answer
  1. Anonymous
    2021-01-22T07:54:48.857+00:00

    Hello,

    Thank you so much for posting here.

    If we lose the CA database and log files, as mentioned, the AD CS will not start. So to avoid any problems, it is suggested that we should backup the CA database and later we could restore from the backup for some situations.

    Yeah, according to the below link, CA database and log files should not be stored on the system drive.
    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd379476(v=ws.10)?redirectedfrom=MSDN

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Vadims Podāns 9,186 Reputation points MVP
    2021-01-22T06:41:39.337+00:00

    I must restore back to the last backup to have the ADCS to start in order to enroll new certificates?

    yes. CA won't start without database.

    Will the normal Jet DB recovery process appending required transactions take place?

    yes. CA protects itself from dirty shutdown by keeping extra log files.

    What is the impact of the data loss - that is enrolled and revoked certificates and also key archival since last backup are not known by the CA.

    I would add that CA renewals during that period will be lost.

    I will of course propose the customer to have the CAs configured with separate database and log file paths, on separate disks than the system disk.

    there is a little benefit to split database and log files. Database file is useless without corresponding log files. It is ok (and recommended) to store database and logs on another (non-system) drive. But splitting database and logs by drives is kind of an overkill.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.