I am reviewing the backup and recovery strategy for a CA hierarchy I am designing. I have a two-tier hierarchy with a 2008 R2 offline root CA and enterprise policy/issuing CA. Both servers are virtualized. I am considering whether to backup the issuing server VM on a daily or weekly basis along with backing up the CA database centrally. Any considerations when using virtualization for recovery ? if for example we had a good backup of the issuing VM from Monday and the CA failed on Tuesday, would restoring the VM from Monday be enough ? or is this not a good substitue for CA database and key backups which is what we have typically used in the past ? looking to simplify and speed the recovery process. I am aware of potential orphaned certificates which have been issued between the time of the last good backup (whether this is the VM or CA db) and failure of the CA which raises another question. Is there anyway to identify those certificates which have been issued to computers or users (orphaned between backup and failure) so they can be imported into the CA database once CA restored ? thanks.

You will probably have shorter recovery time using a VM backup instead of re installing the system an restoring the ADCS setup. There is no easy way to identify issued certificates not part of your VM/database backup unless you have forwarded or collected the event logs about issued certificates outside your ADCS server. Once you have the missing certificate you can use certutil.exe -importcert to import it to you database. What about using the VM backup together with scheduling a database backup once an hour or so (do not forget to copy the files to another server) to minimize the number of "lost" certificates? /Hasain