Backup and Restore of CA
This question is about the backup and restore of a CA. I have backed up my CA from WS2008, however, when I try to restore it to WS2003, I get the message saying the expected data is not in the directory. I'm thinking there may be a compatibility issue between the 2003 and 2008 CAs. Is this true, and if so, is there any way to backup a 2008 CA to a 2003 machine?? Thanks, Andy
March 19th, 2008 6:14pm
I have a couple of questions: Is it an enterprise CA? Also, is the new CA the same name as the old CA?
March 24th, 2008 7:09pm
This is a stand alone root CA, and the name will be the same. We are attempting to establish a CA, however do not want to go live with it unless we are able to restore it in the event of a mishap.
March 24th, 2008 7:23pm
What steps are you doing and at which step is the failure?
March 24th, 2008 7:41pm
When I open up my CA, then I will right click, select Restore CA. When I navigate to the folder where I backed up the original CA, check the two boxes in the dialogue indicating the items to restore, and then press 'Next', there is an error which states "The expected data does not exist in this directory. Please shoose a different directory." This is strange because I can open the folder and see the .p12 file as well as the database folder.
March 24th, 2008 7:52pm
Are you able to restore this to a Windows 2008 CA?
March 24th, 2008 9:07pm
Yes... Backing up to 2008 works with no problems.
March 24th, 2008 9:42pm
Hello Andy, From your description, you want to move the certification authority with private key, CA certificate and database from Windows Server 2008 to Windows Server 2003. The move between two Windows Server 2003 is available. However please note: 1. Two computer must have a same name. This means the old server should be renamed or permanently disconnect it from the network. 2. Export the 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration' from the old server and import it to new server for it contains location information of CA database and log files. However, for this issue, the CA migration is not applicable because we cannot move the CA related data from a Windows Server 2008 system to another Windows Server 2003 system. I have confirmed this by performing the following test: 1. Rename the Windows Server 2003 to the name of Windows Server 2008 and disconnect Windows Server 2008 from the network. 2. Create a new standalone CA and import P12 file in the backup folder with the opinion 'Use custom settings to generate the key pair and CA certificate' 3. Import the 'LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration' key from the Windows Server 2008 server. 4. Restore the 'Private key and CA certificate' and ' Certificate database and certificate database log' and then try to start the service. 5. Finally, I get a error message 'The version of the log file in not compatible with the version of the Windows NT Directory Service datebase (NTDS). 0xc8000202 (ESE: -514)'. This should be the expected result because the CA database in Windows Server 2008 and Windows Server 2003 is different and the move of CA is not available. By the way, just for your reference, to move CA between different servers (that have the same OS version and FQDN), we can refer to the following KB article: Move a certification authority to another server (Windows Server 2003, Windows Server 2000) http://support.microsoft.com/kb/298138 Hope it helps.
March 25th, 2008 2:02pm
Miles, I saw that 2000/2003 moving article. Can you guys (Microsoft) publish something like that for the 2003/2008 scenario? I am sure that this is not going to be the last time someone sees this problem Thanks,
March 25th, 2008 4:11pm