CA Backup and Restore Windows PowerShell cmdlets

  • Artigo

 

Applies To: Windows Server 2012 R2

Author: Justin Turner, Senior Support Escalation Engineer with the Windows group

Note

This content is written by a Microsoft customer support engineer, and is intended for experienced administrators and systems architects who are looking for deeper technical explanations of features and solutions in Windows Server 2012 R2 than topics on TechNet usually provide. However, it has not undergone the same editing passes, so some of the language may seem less polished than what is typically found on TechNet.

Overview

The ADCSAdministration Windows PowerShell module was introduced in Window Server 2012. Two new cmdlets were added to this module in Window Server 2012 R2 to support the Backup and Restore of a CA.

  • Backup-CARoleService

  • Restore-CARoleService

Backup-CARoleService

Table SEQ Table \* ARABIC 17: Backup and Restore Windows PowerShell Cmdlets

ADCSAdministration Cmdlet: Backup-CARoleService

Arguments - Bold arguments are required

Description

-Path

  • String - location to save the backup

  • This is the only unnamed parameter

  • positional parameter

Example:

Backup-CARoleService.-Path c:\adcsbackup1

Backup-CARoleService c:\adcsbackup2

-KeyOnly

  • Backup the CA certificate without the database

Example:

Backup-CARoleService c:\adcsbackup3 -KeyOnly

-Password

  • Specifies the password to protect CA certificates and private keys

  • Must be a secure string

  • Not valid with the -DatabaseOnly parameter

Example:

Backup-CARoleService c:\adcsbackup4 -Password (Read-Host -prompt "Password:" -AsSecureString)

Backup-CARoleService c:\adcsbackup5 -Password (ConvertTo-SecureString "Pa55w0rd!" -AsPlainText -Force)

-DatabaseOnly

  • Backup the database without the CA certificate

Backup-CARoleService c:\adcsbackup6 -DatabaseOnly

-Force

  1. Allows you to overwrite the backup that preexists in the location specified in the -Path parameter

Backup-CARoleService c:\adcsbackup1 -Force

-Incremental

  • Perform an incremental backup

Backup-CARoleService c:\adcsbackup7 -Incremental

-KeepLog

  1. Instructs the command to keep log files. If the switch is not specified, log files are truncated by default except in the Incremental scenario

Backup-CARoleService c:\adcsbackup7 -KeepLog

-Password <Secure String>

If the -Password parameter is used, the supplied password must be a secure string. Use the Read-Host cmdlet to launch an interactive prompt for secure password entry, or use the ConvertTo-SecureString cmdlet to specify the password in-line.

Review the following examples

Specifying a secure string for the Password parameter using Read-Host

Backup-CARoleService c:\adcsbackup4 -Password (Read-Host -prompt "Password:" -AsSecureString)

Specifying a secure string for the Password parameter using ConvertTo-SecureString

Backup-CARoleService c:\adcsbackup5 -Password (ConvertTo-SecureString "Pa55w0rd!" -AsPlainText -Force)

Restore-CARoleService

DCSAdministration Cmdlet: Restore-CARoleService

Arguments - Bold arguments are required

Description

-Path

  • String - location to restore backup from

  • This is the only unnamed parameter

  • positional parameter

Example:

Restore-CARoleService.-Path c:\adcsbackup1 -Force

Restore-CARoleService c:\adcsbackup2 -Force

-KeyOnly

  • Restore the CA certificate without the database

  • Must be specified if the backup was taken with the -KeyOnly option

Example:

Restore-CARoleService c:\adcsbackup3 -KeyOnly -Force

-Password

  • Specifies the password of the CA certificates and private keys

  • Must be a secure string

Example:

Restore-CARoleService c:\adcsbackup4 -Password (read-host -prompt "Password:" -AsSecureString) -Force

Restore-CARoleService c:\adcsbackup5 -Password (ConvertTo-SecureString "Pa55w0rd!" -AsPlainText -Force) -Force

-DatabaseOnly

  • Restore the database without the CA certificate

Restore-CARoleService c:\adcsbackup6 -DatabaseOnly

-Force

  • Allows you to overwrite the preexisting keys

  • Is an optional parameter but when restoring in-place, it is likely required

Restore-CARoleService c:\adcsbackup1 -Force

Issues

A non-password protected backup is taken if the ConvertTo-SecureString function fails while using the Backup-CARoleService with the -Password parameter.

Table SEQ Table \* ARABIC 18: Common Errors

Action

Error

Comment

Restore-CARoleService C:\ADCSBackup

Restore-CARoleService : The process cannot access the file because it is being used by another process. (Exception from HRESULT:

0x80070020)

Stop the Active Directory Certificate Services service prior to running the Restore-CARoleService cmdlet

Restore-CARoleService C:\ADCSBackup

Restore-CARoleService : The directory is not empty. (Exception from HRESULT: 0x80070091)

Use the -Force parameter to overwrite preexisting keys

Backup-CARoleService C:\ADCSBackup -Password (Read-Host -Prompt "Password:" -AsSecureString) -DatabaseOnly

Backup-CARoleService : Parameter set cannot be resolved using the specified named parameters.

The -Password parameter is only used to password protect private keys and is therefore invalid when you are not backing them up

Restore-CARoleService C:\ADCSBack15 -Password (Read-Host -Prompt "Password:" -AsSecureString) -DatabaseOnly

Restore-CARoleService : Parameter set cannot be resolved using the specified named parameters.

The -Password parameter is only used to password protect private keys and is therefore invalid when you are not restoring them

Restore-CARoleService C:\ADCSBack14 -Password (Read-Host -Prompt "Password:" -AsSecureString)

Restore-CARoleService : The system cannot find the file specified. (Exception from HRESULT: 0x80070002)

The path specified does not contain a valid database backup. Perhaps the path is invalid or the backup was taken with the -KeysOnly option?

Additional Resources

Active Directory Certificate Services Migration Guide

Backing up a CA database and private key

Restoring the CA database and configuration on the destination server

Try This: Backup the CA in your lab using Windows PowerShell

  1. Use the commands in this lesson to backup the CA database and private key secured with a password.

  2. Hold off on the restore of the CA at this time.