Re: DCOM error with NTBACKUP and Certificate Services

anonymous_at_discussions.microsoft.com
Date: 12/30/03 

Date: Tue, 30 Dec 2003 08:24:31 -0800

Hi Brian

thanks for the comments and links - I'll alter my
configuration to allow for an online enterprise root CA -
however I've spent most of the day looking for details on
how to configure root so it only issues to subordinate -
as far as I can see I need to change the security settings
on the either the Certification Authority (just give
Authenticated Users Read access) or on individual
certificate templates (in Sites and Services), but I've
not found any clear documentation on how best to do this.

again, thanks

regards
paul
>-----Original Message-----
>Some answers inline...
>
<snip>
>
>To be an offline CA, the CA should be a standalone root
CA, not an
>enteprise CAs. Enterprise CAs require connectivity to
Active Directory.
>For details on best practices for a CA hierarchy, see
Best Practices:
>http://www.microsoft.com/technet/prodtechnol/windowsserver
2003/maintain/
>operate/ws3pkibp.asp
>
>Also, the conversion of an enterprise root CA to a
standalone root CA is
>discussed in the Operations whitepaper.
>
>http://www.microsoft.com/technet/prodtechnol/windowsserver
2003/maintain/
>operate/ws03pkog.asp
>
>>
>> When I run NTBACKUP to do System State, the following
>> error appears in the System log:
>>
<snip>
>
>This is expected. To backup the CA, Certificate Services
must be
>running. You are receiving the error because you have
manually disabled
>Certificate Services.
>
>
<snip>
>
>> so...
>> have I missed something in the configuration of
>> CertSvc/DCOM or NTBACKUP, or is this a problem with
>> NTBACKUP that means I must have CertSvc running during
>> each System State backup?
>
>You got it! CertSvc must be running when performing the
System State
>backup so that the backup includes the CA database.
>
>Brian
>.
>

Relevant Pages