Back to Blog

Active Directory Monitoring: Backup and Recovery - Options for AD CS

Image of Jonathan Summers
Jonathan Summers
Active Directory Monitoring listing image

In the previous article we looked at the operations and processes regarding backup and recovery of AD DS information, namely the AD DS database and its objects. In this article we will be looking at the backup options for some of Active Directory’s other modules such as Active Directory Certificate Services (AD CS). Your Active Directory monitoring solution should be tracking events for AD CS to ensure the information is backing up successfully.

Backup Options for AD CS

Secure Socket Layer/Transport Layer Security

Your Microsoft organization’s public key infrastructure (PKI) will most likely be based off of AD CS. Your PKI is responsible for maintaining your certificate infrastructure which is used for securing your software systems. Digital certificates will provide confidentiality through encryption, infrastructure integrity through digital signatures, and authentication using certificate keys with clients, users, or device accounts through AD on your network. AD CS enhances your security through the binding of the identity of a person service, or device to a private key and is a critical component of your Active Directory Monitoring. AD CS is a secure, cost-effective, and efficient way to distribute certificates through your infrastructure. Certificates can be used by many systems in your organization including but not limited to:

  • Smart card logon
  • Internet protocol security
  • Encrypting file system
  • Virtual private networks
  • Secured wireless networks

What do you need to back up on your certificate server? Well let’s look at it in the simplest terms and go from there. You will need to back up the entire Certificate Authority (CA) database, the certificate, and the private key that the CA is currently using, the AD database, and most administrators will recommend a full system backup using the tool of your choice. Let’s look at these options individually.

Backing Up the AD CS Database (CA Database)

The database file name will be the CA name followed by the extension “.edb”. The CA database structure uses the Microsoft Jet Database for all transaction level processing, storage, and rollback protection. What files are associated with the CA?

  • A log index file “edb.log”
  • A series of sequentially named (hexadecimal) log files

The log file syntax starts at edb00001.log and extends to edbfffff.log. Each log file is 1MB in size. When all the space is consumed, the next log file is created. This will give you around 1TB of log space. Now, what about when you use up all your space? The good news is that as long as you are running backups the files will be truncated (cleaned). Files are truncated when either one of two conditions occur:

1. A backup is performed on the CA using either the GUI, VSS, or the command line using Certutil -backupDB.

Certificate Authority popup

Command Request popup

2. Whenever the CA service is stopped and started again. This releases any file hooks the CA will have had to release since the last time the service was started.
Picture1-Feb-23-2021-10-39-26-19-PM
 
If you are running the CA as a VM in your organization, you should be aware of a possible issue. If you are using a third-party backup solution (something besides the options from condition 1 above), it is possible that the backup is not triggering any database cleaning functions. This can also happen if you are running SAN level snapshots since the OS and any applications running on the VM are not aware that backup is being run. In either case, you will want to check the CA database log files after running a backup with your solution. The default location for the CA database files is “C:\Windows\System32\Certlog”. 
 
Picture1-Feb-23-2021-10-40-10-80-PM

The CA Certificate and the Private Key

Having a quick copy of the certificate from the CA is never a bad thing as long as it is up to date and stored in a secure location with limited access. You can run the Certutil -backupKey command on the CA to ensure you have a copy of the certificate and private key that the CA is currently using to a PFX file. You will be able to specify the folder location of your choosing.

Picture1-Feb-23-2021-10-41-05-04-PM

Perform a Full System Backup

It is always recommended to perform full system backups whether using the Windows Backup tool or using a backup solution of your choosing. Be sure to include all critical volumes and the System State. The critical volumes should include any and all folders that were included in the Certutil commands.

Picture1-Feb-23-2021-10-41-51-28-PM

Perform a backup of the Active Directory Database 

This can be achieved by running the full back up as described above. Just make sure you include the critical volumes that have the NTDS.dit database instance as well as the system state. You really should not rely on replication if you are recovering from a major accident or outage. Any changes may have replicated from the bad database to other AD DS instances in your environment.

How to Tell if Backups Completed Successfully

One of the easiest ways to see if your backup and log truncation completed successfully is to check the Event Viewer. More Specifically, check the Windows Application logs. After running the Certutil -backupDB command, you will want to look for event 213 with the source “ESENT”. Event 210 is when the backup started. Your Active Directory Monitoring solution should be looking for these events and, if you choose, looking for the events ranging from ESENT 210 – 225. If you are using ShadowCopy you will want to monitor for ESENT events 2001-2006.

Window Logs screenshot

Picture1-Feb-23-2021-10-43-00-54-PM

You should consider running a local script to perform a scheduled backup of your Certificate Authority. You can use whatever language you like for your script, but it needs to be able to back up the following:

  • AD CS Certificate Authority database
  • CA certificates, previously renewed CA certificates
  • CA Configuration data stored in the registry
  • Thales nCipher HSM configuration and key files
  • Published templates on the CA

You may want to check the PowerShell Gallery from Microsoft for scripts created by Microsoft MVPs. [Always test scripts in a non-production environment. Never test in production environments.]

.


Active Directory Monitoring and Reporting

Active Directory is the foundation of your network, and the structure that controls access to the most critical resources in your organization. The ENow Active Directory Monitoring and Reporting tool uncovers cracks in your Active Directory that can cause a security breach or poor end-user experience and enables you to quickly identify and remove users that have inappropriate access to privileged groups (Schema Admins, Domain Administrators). While ENow is not an auditing software, our reports reduce the amount of work required to cover HIPAA, SOX, and other compliance audits.

Access your FREE 14-day trial to accelerate your security awareness and simplify your compliance audits. Includes entire library of reports.


Business Decisions

Which Federation Protocol Should I Use?

Image of Jim Katoe
Jim Katoe

The question "which federation protocol should I use" comes up frequently when talking to...

Read more
Azure icon

New Azure Active Directory Features

Image of Nathan O'Bryan MCSM
Nathan O'Bryan MCSM

As more IT services move to the cloud, the need for better security features will only increase....

Read more