Backup restore certificate authority windows 2003

Because the location is common to cluster nodes, click Yes to overwrite the existing CA database as you add the CA role service to other nodes. If you specify locations that are different from the locations used on the source CA, then you must also edit the registry settings backup file before the CA is restored. If the locations specified during setup are different from the locations specified in the registry settings, the CA cannot start.

On the Confirmation page, review the messages, and then click Configure. Then repeat the procedures to import the CA certificate and add the CA role service on other cluster nodes. The value for -CertificateID can be either the thumbprint or the serial number of the imported certificate.

The procedures in this section should be completed only after the CA role service has been installed on the destination server. If you are migrating to a failover cluster, add the CA role service to all cluster nodes before restoring the CA database. The CA database should be restored on only one cluster node and must be located on shared storage. This section describes two different procedures for restoring the source CA database backup on the destination server. If you are migrating to a Server Core installation, you must use the procedure "To restore the CA database by using Certutil.

If you are migrating to a failover cluster, ensure that shared storage is online and restore the CA database on only one cluster node. On the Items to Restore page, select Certificate database and certificate database log.

Click Browse. Navigate to the parent folder that holds the Database folder the folder that contains the CA database files created during the CA database backup.

Include the force flag because an empty CA database will already be present after you perform the steps in Adding the CA role service by using Server Manager. Type certutil. Before importing the registry settings from the source CA to the target CA, create a backup of the default target CA registry configuration by using the procedure Backing up CA registry settings. Some registry parameters should be migrated without changes from the source CA computer, and some should not be migrated. If they are migrated, they should be updated in the target system after migration because some values are associated with the CA itself, whereas others are associated with the domain environment, the physical host, the Windows version, or other factors that may be different in the target system.

A suggested way of performing the registry configuration import is first to open the registry file you exported from the source CA in a text editor and analyze it for settings that may need to be changed or removed. The following table shows the configuration parameters that should be transferred from the source CA to the target CA. If the target CA's computer name is different from the source CA's computer name, search the file for the host name of the source CA computer.

For each instance of the host name found, ensure that it is the appropriate value for the target environment. Change the host name, if necessary. Update the CAServerName value. If the host name is located in the. The CA name must not be changed as part of the migration. Check any registry values that indicate local file paths, such as the following, to ensure drive letter names and paths are correct for the target CA.

If there is a mismatch between the source and the target CA, either update the values in the file or remove them from the file so that the default settings are preserved on the target CA. These storage location settings are elected during CA setup. They exist under the Configuration registry key:.

Alternatively, you can update these values after importing them by using the Certification Authority snap-in. The values are located on the CA properties Extensions tab.

Some registry values are associated with the CA, while others are associated with the domain environment, the physical host computer, the Windows version, or even other role services. Consequently, some registry parameters should be migrated without changes from the source CA computer and others should not.

Any value that is not listed in the. Remove any registry values that you do not want to import into the target CA. Once the. By importing the source server registry settings backup into the destination server, the source CA configuration is migrated to the destination server. Click Start , type regedit. Click Hexadecimal.

In Value data , type 64 , and then click OK. Verify the locations specified in the following settings are correct for your destination server, and change them as needed to indicate the location of the CA database and log files. Complete steps 6 through 8 only if the name of your destination server is different from the name of your source server. In the console tree of the registry editor, expand Configuration , and click your CA name. Modify the values of the following registry settings by replacing the source server name with the destination server name.

If these two settings are not displayed, you can proceed to the next step. The steps described for importing the source CA registry settings and editing the registry in case of a server name change are intended to retain the network locations that were used by the source CA to publish CRLs and CA certificates.

Because many administrators configure extensions that are customized for their network environment, it is not possible to provide exact instructions for configuring CRL distribution point and authority information access extensions. Carefully review the configured locations and publishing options, and ensure that the extensions are correct according to your organization's requirements.

The following procedure is required only for an enterprise CA. A standalone CA does not have certificate templates. Review the list of templates created during Backing up a CA templates list.

Complete the following procedure in the case of a server name change. Log on as a member of the Enterprise Admins group to a computer on which the Active Directory Sites and Services snap-in is installed. Open Active Directory Sites and Services dssite. In the Allow column, click Full Control , and click Apply. The previous CA computer object is displayed as Account Unknown with a security identifier following it in Group or user names.

You can remove that account. To do so, select it and then click Remove. Click OK. In the details pane, right-click the cRLDistributionPoint item at the top of the list, and then click Properties. If you are migrating to a failover cluster, complete the following procedures after the CA database and registry settings have been migrated to the destination server.

Migration of a CA to a failover cluster running on the Server Core installation option of Windows Server R2 is not described in this guide. If you are migrating to a failover cluster, complete the following procedures to configure failover clustering for AD CS. Click Start , point to Run , type Cluadmin. On the Action menu, click Configure a service or Application. If the Before you begin page appears, click Next. Do not perform this step out of order. If removal of the source CA is performed after installation of the target CA step 6 in this section , the target CA will become unusable.

Locate the registry file that you saved in step 3, and then double-click it to import the registry settings. If the path that is shown in the registry export from the old CA differs from the new path, you must adjust your registry export accordingly.

Use the Certification Authority snap-in to restore the CA database. Verify the backup settings. The Issued Log and Pending Requests settings should be displayed. You may receive the following error during the restore CA process if the CA backup folder is not in the correct folder structure format:. The expected data does not exist in this directory. Please choose a different directory.

In the Certification Authority snap-in, manually add or remove certificate templates to duplicate the Certificate Templates settings that you noted in step 1. Click Next , and then click Issued certificate log and pending certificate request queue.

Skip to main content. This browser is no longer supported. Download Microsoft Edge More info. Contents Exit focus mode. Please rate your experience Yes No. Any additional feedback? Note This article applies to Windows Improve this question.

MadHatter Dina Dina 1 1 silver badge 9 9 bronze badges. Add a comment. Active Oldest Votes. Improve this answer. Evan Anderson Evan Anderson k 18 18 gold badges silver badges bronze badges. Sign up or log in Sign up using Google.

Sign up using Facebook. Sign up using Email and Password. Post as a guest Name. Email Required, but never shown. The Overflow Blog. Podcast Making Agile work for data science.