Announcement

Collapse
No announcement yet.

Doubt regarding restore of Enterprise CA

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Doubt regarding restore of Enterprise CA

    Hello over there!

    I was wondering which was the official way to restore an enterprise CA in case the Domain Contoller crashes.

    Let's assume we have 3 DCs: DC1, DC2 and DC3.
    I have installed EnterpriseRootCA on DC2, and regularly backed up either with CA Console and with SystemState.
    DC2 crashes... so, how can I restore it?

    If I try to install a new enterprise CA on DC3 using same keys, there can be a problem because DC3 recognizes the existing CA in the configuration partition.
    So, how can I accomplish a restore? Do I have to manually remove the entire configuration information as reported in the following article "http://support.microsoft.com/kb/889250/en-us" before reinstalling the enterprise CA ?

    Thanks so much
    Luke and Max Hit the Road

  • #2
    Re: Doubt regarding restore of Enterprise CA

    You should build your CA with redundancy meaning subordinate CA servers to handle the load and authentication if and when a CA server fails.

    Rebuild DC2 and restore the system?state there.

    Jas
    VCDX3 #34, VCDX4, VCDX5, VCAP4-DCA #14, VCAP4-DCD #35, VCAP5-DCD, VCPx4, vEXPERTx4, MCSEx3, MCSAx2, MCP, CCAx2, A+
    boche.net - VMware Virtualization Evangelist
    My advice has no warranties. Follow at your own risk.

    Comment


    • #3
      Re: Doubt regarding restore of Enterprise CA

      Originally posted by jasonboche
      You should build your CA with redundancy meaning subordinate CA servers to handle the load and authentication if and when a CA server fails.

      Rebuild DC2 and restore the system?state there.

      Jas
      My question was slightly different.
      Don't consider redundancy with SubCA.
      My question is: what if, for any reason, I cannot restore DC2 and restore its SystemState and I want to install CA to another server?
      The only possibilty is deleting all objects from Configuration Partition and reinstall CA on the new server?
      Luke and Max Hit the Road

      Comment


      • #4
        Re: Doubt regarding restore of Enterprise CA

        Originally posted by lukeandmax
        My question was slightly different.
        Don't consider redundancy with SubCA.
        My question is: what if, for any reason, I cannot restore DC2 and restore its SystemState and I want to install CA to another server?
        The only possibilty is deleting all objects from Configuration Partition and reinstall CA on the new server?
        If you can't restore the server, you are pretty out of options. The certificates have the DC's name hardcoded in CRLs, the certificate of the issuing CA has the name hardcoded, etc...

        If you can't introduce a server with the same name and same keys/certificates, as far as I see it, you will actually have to rebuild the CA from scratch and clean up the remains of the old CA from config partition and GPOs (if any)
        Guy Teverovsky
        "Smith & Wesson - the original point and click interface"

        Comment

        Working...
        X