<img height="1" width="1" src="https://www.facebook.com/tr?id=1529264867168163&amp;ev=PageView &amp;noscript=1">

Active Directory Monitoring: Backup and recovery Part 3 - Backup and Recovery Options for AD CS

[Applies to Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Active Directory, AD Monitoring]

In the previous article we looked at the operations and processes regarding backup and recovery of AD DS information, namely the AD DS database and its objects. In this article we will be looking at the backup options for some of Active Directory’s other modules such as Active Directory Certificate Services (AD CS). Your Active Directory monitoring solution should be tracking events for AD CS to ensure the information is backing up successfully.

Backup Options for AD CS

Secure Socket Layer/Transport Layer SecurityYour Microsoft organization’s public key infrastructure (PKI) will most likely be based off of AD CS. Your PKI is responsible for maintaining your certificate infrastructure which is used for securing your software systems. Digital certificates will provide confidentiality through encryption, infrastructure integrity via digital signatures, and authentication using certificate keys with clients, users, or device accounts through AD on your network. AD CS enhances your security through the binding of the identity of a person service, or device to a private key and is a critical component of your Active Directory Monitoring. AD CS is a secure, cost-effective, and efficient way to distribute certificates through your infrastructure. Certificates can be used by many systems in your organization including but not limited to:

- Smart card logon
- Internet protocol security
- Encrypting file system
- Virtual private networks
- Secured wireless networks

What do you need to back up on your certificate server? Well let’s look at it in the simplest terms and go from there. You will need to back up the entire Certificate Authority (CA) database, the certificate, and the private key that the CA is currently using, the AD database, and most administrators will recommend a full system backup using the tool of your choice. Let’s look at these options individually.

Backing Up the AD CS Database (CA Database)

The database file name will be the CA name followed by the extension “.edb”.The CA database structure uses the Microsoft Jet Database for all transaction level processing, storage, and rollback protection. What files are associated with the CA?

- A log index file “edb.log”
- A series of sequentially named (hexadecimal) log files

The log file syntax starts at edb00001.log and extends to edbfffff.log. Each log file is 1MB in size. When all the space is consumed, the next log file is created. This will give you around 1TB of log space. Now, what about when you use up all your space? The good news is that as long as you are running backups the files will be truncated (cleaned). Files are truncated when either one of two conditions occur:

1. A backup is performed on the CA using either the GUI, VSS, or the command line using Certutil -backupDB.



2. Whenever the CA service is stopped and started again. This releases any file hooks the CA will have had to release since the last time the service was started.
If you are running the CA as a VM in your organization, you should be aware of a possible issue. If you are using a third-party backup solution (something besides the options from condition 1 above), it is possible that the backup is not triggering any database cleaning functions. This can also happen if you are running SAN level snapshots since the OS and any applications running on the VM are not aware that backup is being run. In either case you will want to check the CA database log files after running a backup with your solution. The default location for the CA database files is “C:\Windows\System32\Certlog”. 

The CA Certificate and the Private Key

Having a quick copy of the certificate from the CA is never a bad thing as long as it is up to date and stored in a secure location with limited access. You can run the Certutil -backupKey command on the CA to ensure you have a copy of the certificate and private key that the CA is currently using to a PFX file. You will be able to specify the folder location of your choosing.


Perform a Full System Backup

It always recommended to perform full system backups wither using the Windows Backup tool or using a backup solution of your choosing. Be sure to include all critical volumes and the System State. The critical volumes should include any and all folders that were included in the Certutil commands.


Perform a backup of the Active Directory Database 

This can be achieved by running the full back up as described above. Just make sure you include the critical volumes that has the NTDS.dit database instance as well as the system state. You really should not rely on replication if you are recovering from a major accident or outage. Any changes may have replicated from the bad database to other AD DS instances in your environment.

How to Tell if Backups Completed Successfully

One of the easiest ways to see if your backup and log truncation completed successfully is to check the Event Viewer. More Specifically, the Windows Application logs. After running the Certutil -backupDB command, you will want to look for event 213 with the source “ESENT”. Event 210 is when the backup started. Your Active Directory Monitoring solution should be looking for these events and, if you choose, to monitor for the events ranging from ESENT 210 – 225. If you are using ShadowCopy you will want to monitor for ESENT events 2001-2006.



You should consider running a local script to perform a scheduled backup of your Certificate Authority. You can use whatever language you like for your script, but it needs to be able to back up the following:

- AD CS Certificate Authority database
- CA certificates, previously renewed CA certificates
- CA Configuration data stored in the registry
- Thales nCipher HSM configuration and key files
- Published templates on the CA

You may want to check the PowerShell Gallery from Microsoft for scripts created by Microsoft MVPs. *Always test scripts in a non-production environment. Never test in production environments.*

To learn about how to back up your Active Directory Rights Management Services (AD RMS) solution, please continue to the next article: Active Directory Best Practices – Backup and Recovery Part 4 - Backup and Recovery Options for AD RMS.

Active Directory Monitoring with ENow

Active Directory as the foundation of your network, and the structure that controls access to some of the most critical resources in your organization. ENow uncovers cracks in your Active Directory that can cause a security breach or poor end user experience. In particular, ENow enables you to:

- Report on highly privileged groups (domain admins)
- AD replication errors
- Identify Expensive LDAP queries
- DNS and name resolution problems
- Troubleshoot poor Exchange performance caused by Active Directory

Don’t take our word for it. Start your free trial today!

Learn more