You are employed as a network administrator at consoto.com.
Contoso.com has in an Active Directory domain named contoso.com.
All Servers on the contoso.com network have Windows Server 2012 R2 installed.
A contoso.com server, named Server1, hosts the Active Directory Certificate Services Server role and utilizes a hardware security module (HSM) to safeguard its
You have been instructed to backup the Active Directory Certificate Services (ADCS) database,log files, and private key regularly.
You should not use a utility supplied by the hardware security module (HSM) creator.
Which of the following actions should you take?
A. You should consider scheduling an incremental backup
B. You should consider making use of the certutil.exe command.
C. You should consider scheduling a differential backup
D. You shouldconsider scheduling a copy backup
A. ADCS needs to be backup up using certutil
B. -Backup, -backupdb, -backupKey:
You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA
components, and verify certificates, key pairs, and certificate chains.
C. ADCS needs to be backup up using certutil
D. ADCS needs to be backup up using certutil
Disaster Recovery Procedures:
There are two methods to backup and restore the Certification Authority. The methods are:
1. System State Backup
2. Certutil command line in combination of registry export
Update: It just came to my attention that System State Backup in Windows 2008 and 2008 R2 will not backup the private key of the CA. The private key will be
stored in hidden folder structure.
“%systemdrive\ProgramData\Microsoft\Crypto\Keys” which will be linked and accessible via “%systemdrive%\users\all users\microsoft\crypto\keys”.
%systemdrive%\ProgramData\Microsoft\Crypto\Keys” is not included in System State backup as it’s not in system writers metadata and so will be empty when doing
a System State restore.
If you prefer to have System State Backup, then you should consider applying the following hotfix: http://support.microsoft.com/kb/2603469 on your CAs running
Windows Server 2008 or 2008 R2 to backup the Private Key.