CA Backup and restore

Question

CA Backup and restore

TBMK (Tim Blohm Kühnell) 41

Hello,

I consider backup and D/R-options for my 2 Win2016-issuing CAs. I understand that if I lose a database and log file location, and the ADCS service cannot start, already enrolled certificates will still work assuming AIA/CDP paths are still valid?

1) I must restore back to the last backup to have the ADCS to start in order to enroll new certificates?

I assume, that the database is dirty shutdown.

2) Will the normal Jet DB recovery process appending required transactions take place?
3) What is the impact of the data loss - that is enrolled and revoked certificates and also key archival since last backup are not known by the CA.

I will of course propose the customer to have the CAs configured with separate database and log file paths, on separate disks than the system disk.

Anonymous

2021-01-25T06:04:35.94+00:00

Hello,

We are checking in to see if the provided information was helpful. If the reply is helpful, we would appreciate you to accept it as answer.

Please let us know if you would like further assistance. Thanks.

Best Regards,
Hannah Xiong
Anonymous

2021-01-27T05:34:16.39+00:00

Hello @Anonymous ,

I am checking how the issue is going, if you still have any questions, please feel free to contact us.

Thank you so much for your time and support.

Best regards,
Hannah Xiong

Accepted answer

1 additional answer

Your answer

Anonymous

2021-01-25T06:04:35.94+00:00

Hello,

We are checking in to see if the provided information was helpful. If the reply is helpful, we would appreciate you to accept it as answer.

Please let us know if you would like further assistance. Thanks.

Best Regards,
Hannah Xiong
Anonymous

2021-01-27T05:34:16.39+00:00

Hello @Anonymous ,

I am checking how the issue is going, if you still have any questions, please feel free to contact us.

Thank you so much for your time and support.

Best regards,
Hannah Xiong

Answer 1

Hello,

Thank you so much for posting here.

If we lose the CA database and log files, as mentioned, the AD CS will not start. So to avoid any problems, it is suggested that we should backup the CA database and later we could restore from the backup for some situations.

Yeah, according to the below link, CA database and log files should not be stored on the system drive.
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd379476(v=ws.10)?redirectedfrom=MSDN

Best regards,
Hannah Xiong

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

I must restore back to the last backup to have the ADCS to start in order to enroll new certificates?

yes. CA won't start without database.

Will the normal Jet DB recovery process appending required transactions take place?

yes. CA protects itself from dirty shutdown by keeping extra log files.

What is the impact of the data loss - that is enrolled and revoked certificates and also key archival since last backup are not known by the CA.

I would add that CA renewals during that period will be lost.

I will of course propose the customer to have the CAs configured with separate database and log file paths, on separate disks than the system disk.

there is a little benefit to split database and log files. Database file is useless without corresponding log files. It is ok (and recommended) to store database and logs on another (non-system) drive. But splitting database and logs by drives is kind of an overkill.

Share via

CA Backup and restore

1 additional answer

Your answer