Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Certificate Authority Disaster Recovery Planning

Status
Not open for further replies.

confus9d

Technical User
Jul 11, 2007
34
US
Hi,

I've installed windows 2003 Enterprise CA on a member Exchange server in my Active Directory environment. I am creating a test lab for exchange disaster recovery planning. I've already created a test machine with my production AD and successfully restored my exchange server. Does anyone know how to install Enterprise Root CA so it retrieves all the information from Active directory?

Thanks
 
I am not sure what it is you are asking about here. Are you wanting to recover the CA or create a new instance? If you are recovering the CA you would use the Restore CA wiz and load the CAbackup that you performed prior to the disaster plan. The CA publishes to AD, not pulls info from. Are you familiar with certutil? you would use certutil -dspublish to push information to AD about the CA. If you want to completely remove a CA then see the knowledgebase article to remove the instance from the forest. In a disaster recovery scenario, AD is aware that the CA is there, the new CA must be named the same, same logical drive setup and same keypair. Then use the CA recovery wizard and recovery the key pair and certificate DB. CRL must be published before the expiration of the old one. This will allow the certificates issued by the old CA to remain valid. AD is fairly apathetic to the CA being there until the CRL expires and then it has fits with the invalid certs. google certutil for more information. It is a great tool for pushing chain info and publishing.
Let me know if this is not what you were looking for and we can get you going ahead.

Jim
 
Thanks for the info Jim. When I'm reinstalling my CA in test lab (disaster recovery scenario) it's asking me if I want to over-write information that already exists in AD. Now I'm not sure if it'll invalidate all the existing certificates that I've backed up for restoration. To make it clear, all I want is take a backup of my CA db from production and restore it on my lab so I don't have to revoke/recreate any certificate.
 
When you are installing certificate services you do not want to overwrite the information in AD. Once you have CA serv installed run the restore wiz and bring the private key and the DB and overwrite them on the CA. As long as you have given the CA the same netbios name and using the correct CABackup files you should be OK. If you are not using a tape BU or other system state BU you may want to make sure that you have pasted any custom caconfig.inf files before installing caserv. I normally push out a CRL as soon as possible just to ensure that I am working with a fresh file.
For the most part CAs are very resilient for what they do. As long as everything remains constant AD will act like it was always there.

Jim Bowen, MCSE, Network+
Carpe fermentum
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top