How to perform Disaster recovery of CA 2008 R2 Server?

You need to backup the following components: CA certificates & keys using certutil -backupkey command (if keys are stored in HSM use vendor specific instructions) CA Settings found in HKLM\System\CurrentControlSet\Services\CertSvc\ or using configuration scripts and documentation used during installation and customization CA Database using certutil -backupdb All other files dependencies and settings involved in the ADCS setup like capolicy.inf if used A list of the templates published on the specific CA using the certutil -catemplates The certificate templates are stored in Active Directory and should be saved/backed up as part of AD To restore: Restore the CA certificate and key Restore the dependencies, capolicy.inf external web sites etc.. Restore the ADCS service using existing certificate and private key Restore all settings Restore the Database Restore the certificate template list /Hasain

I managed to collect following commands from your reply certutil -backup -p Password c:\backup reg export HKLM\System\CurrentControlSet\Services\CertSvc\Configuration c:\backup\regkey.reg Certutil –getreg CA\CSP > C:\Backup\CSP.txt Certutil –catemplates > C:\Backup\CATemplates.txt If this recovery method requires same machine configuration in case my current CA server goes down ? Kindly suggest.

To restore you need a machine with the same OS version, server name and domain membership. /Hasain

To restore you need a machine with the same OS version, server name and domain membership. /Hasain

Thx 4 the info. Also when i was going through 1 link http://blogs.technet.com/b/pki/archive/2010/04/20/disaster-recovery-procedures-for-the-active-directory-certificate-services-adcs.aspx Here there is some point extending CRL file life & decommissioning of CA server. Can u assist me what do they mean & is it necessary to do things.

The steps described are necessary only if the time needed to restore the CA service is longer than the remaining lifetime of the current CRL. /Hasain

Hi er.loyaamit, This article might be helpful for you: Designing and Implementing a PKI: Part V Disaster Recovery http://blogs.technet.com/b/askds/archive/2011/04/07/designing-and-implementing-a-pki-part-v-disaster-recovery.aspx Regards, Bruce