Re: Windows 2003 Enterprise CA & Restored State

From: Vishal Agarwal[MSFT] (vishala_at_online.microsoft.com)
Date: 06/10/04


Date: Thu, 10 Jun 2004 10:16:03 -0700

After a power failure, the CA should be able to perform recovery using the
existing database log files and recover the state back to the last completed
database transaction. This procedure should rollback only incomplete
transactions, and not lose any issued certs.

A fallback strategy would be to restore the database, etc. from backup, but
to also add in any log files saved from the log directory prior to the
restore operation. When the CA is restarted it should include the
transactions from the additional log files, and again capture all of the
completed transactions.

A third strategy would seem to be the one you have taken, which is to
restore from backup and thereby lose all of the certs issued since the
backup was performed.

To re-add the missing certs, you will need to collect the certs into files,
and add each one via the following command:

certutil -importcert cert1.cer

If you can't easily obtain the missing certs, you will at least need to
obtain the serial numbers. It may be possible to use the Windows 2003
certutil -sign command to create a dummy certificate with a specified serial
number, signed by a selected CA cert (via certutil U/I), so that it can be
imported into the CA's database:

certutil -sign SerialNumber outfile.cer

Thanks,
Vishal Agarwal [MSFT]

-- 
This posting is provided "AS IS" with no warranties, and confers no rights
"Chris Hayes" <chayes@3rdevolution.com> wrote in message
news:ux3Tt7WTEHA.3988@tk2msftngp13.phx.gbl...
> Looking for any guidance regarding an enterprise CA that experienced a
power
> failure and was restored to a saved state. Any certificates issued after
the
> restored date are not reflected in the Certificate Authority management
> console yet they can still be used (smartcards, SSL, etc...) and come up
as
> valid when checked with the Certificates MMC snap-in.
>
> The Enterprise CA itself (subordinate to an offline root), is Windows 2003
> Enterprise Edition running as a virtual machine session on a server
running
> Virtual Server 2004. This is running in a non-production capacity- but
would
> like to resolve without rebuilding the CA.
>
> Thanks.
>
>
>
>
>
>
>


Relevant Pages

  • Re: Exchange Recovery Question
    ... I know that it does not purge any outdated log files. ... I performed an offline backup of the damaged database and associated ... log files prior to starting my restore. ... which does backups by the volume shadow copy API, ...
    (microsoft.public.exchange.admin)
  • Re: Information Store refuses to mount
    ... If you know that it is the case, you should check of the log files ... (use eseutil /mh, there is a log required range). ... Assuming e00.log is really lost (and needed as per database state) you would ... need to restore from backup. ...
    (microsoft.public.exchange2000.information.store)
  • Re: Jet_errMissingLogFile
    ... >needing the logs as well to do a restore. ... Whether log files are essential is determined by how you plan your ... Exchange is an ACID compliant messaging system. ... Exchange uses a database and log files for storing mail, ...
    (microsoft.public.exchange2000.active.directory.integration)
  • Re: Exchange 2003
    ... Moved the database file itself or through the Exchange system manager? ... Where were your transaction log files? ... >> the properties of the store you are trying to restore and go to the ...
    (microsoft.public.exchange.admin)
  • Re: Catalog database error
    ... My main problem was that I wasn't sure which database it referred to. ... service or reboot the server and check if it disappears. ... The most common cause of missing log files is because a File-level ... this working folder is located ...
    (microsoft.public.windows.server.sbs)