The powershell cmdlet restore-caroleservice restores the ca database and all private key data.

Q: What tool can a user use to request certificates that are not configured for autoenrollment?

Users can request certificates that arent configured for autoenrollment by using the Certificates snap-in.

description	ms.assetid	title	author	ms.author	ms.date	ms.topic
Learn more about: CA Backup and Restore Windows PowerShell cmdlets Inhaltsverzeichnis Show Backup-CARoleService -Password <Secure String> Restore-CARoleService Common errors Additional Resources Try This: Backup the CA in your lab using Windows PowerShell Which option will allow private keys to be locked away and then restored if the user's private key is lost? What tool can a user use to request certificates that are not configured for autoenrollment? Which acronym best describes a document that describes how a CA issues certificate? Which type of cryptography provides the most security?	7e195f5b-b194-40f3-a26d-5cf4ade5fc4d	CA Backup and Restore Windows PowerShell cmdlets	xelu86	alalve	06/21/2022	article

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Author: Justin Turner, Senior Support Escalation Engineer with the Windows group
[!NOTE] This content is written by a Microsoft customer support engineer, and is intended for experienced administrators and systems architects who are looking for deeper technical explanations of features and solutions in Windows Server 2012 R2 than topics on TechNet usually provide. However, it has not undergone the same editing passes, so some of the language may seem less polished than what is typically found on TechNet.

Overview

The ADCSAdministration Windows PowerShell module was introduced in Window Server 2012. Two new cmdlets were added to this module in Window Server 2012 R2 to support the Backup and Restore of a CA.

Backup-CARoleService
Restore-CARoleService

Backup-CARoleService

ADCSAdministration Cmdlet: Backup-CARoleService

Arguments - Bold arguments are required	Description
-Path	- String - location to save the backup - This is the only unnamed parameter - positional parameter Example: Backup-CARoleService.-Path c:\adcsbackup1 Backup-CARoleService c:\adcsbackup2
-KeyOnly	- Backup the CA certificate without the database Example: Backup-CARoleService c:\adcsbackup3 -KeyOnly
-Password	- Specifies the password to protect CA certificates and private keys - Must be a secure string - Not valid with the -DatabaseOnly parameter Example: Backup-CARoleService c:\adcsbackup4 -Password (Read-Host -prompt "Password:" -AsSecureString) Backup-CARoleService c:\adcsbackup5 -Password (ConvertTo-SecureString "Pa55w0rd!" -AsPlainText -Force)
-DatabaseOnly	- Backup the database without the CA certificate Backup-CARoleService c:\adcsbackup6 -DatabaseOnly
-Force	1. Allows you to overwrite the backup that preexists in the location specified in the -Path parameter Backup-CARoleService c:\adcsbackup1 -Force
-Incremental	- Perform an incremental backup Backup-CARoleService c:\adcsbackup7 -Incremental
-KeepLog	1. Instructs the command to keep log files. If the switch is not specified, log files are truncated by default except in the Incremental scenario Backup-CARoleService c:\adcsbackup7 -KeepLog

-Password <Secure String>

If the -Password parameter is used, the supplied password must be a secure string. Use the Read-Host cmdlet to launch an interactive prompt for secure password entry, or use the ConvertTo-SecureString cmdlet to specify the password in-line.

Review the following examples

Specifying a secure string for the Password parameter using Read-Host

Backup-CARoleService c:\adcsbackup4 -Password (Read-Host -prompt "Password:" -AsSecureString)

Specifying a secure string for the Password parameter using ConvertTo-SecureString

Backup-CARoleService c:\adcsbackup5 -Password (ConvertTo-SecureString "Pa55w0rd!" -AsPlainText -Force)

Restore-CARoleService

ADCSAdministration Cmdlet: Restore-CARoleService

Arguments - Bold arguments are required	Description
-Path	- String - location to restore backup from - This is the only unnamed parameter - positional parameter Example: Restore-CARoleService.-Path c:\adcsbackup1 -Force Restore-CARoleService c:\adcsbackup2 -Force
-KeyOnly	- Restore the CA certificate without the database - Must be specified if the backup was taken with the -KeyOnly option Example: Restore-CARoleService c:\adcsbackup3 -KeyOnly -Force
-Password	- Specifies the password of the CA certificates and private keys - Must be a secure string Example: Restore-CARoleService c:\adcsbackup4 -Password (read-host -prompt "Password:" -AsSecureString) -Force Restore-CARoleService c:\adcsbackup5 -Password (ConvertTo-SecureString "Pa55w0rd!" -AsPlainText -Force) -Force
-DatabaseOnly	- Restore the database without the CA certificate Restore-CARoleService c:\adcsbackup6 -DatabaseOnly
-Force	- Allows you to overwrite the preexisting keys - Is an optional parameter but when restoring in-place, it is likely required Restore-CARoleService c:\adcsbackup1 -Force

Issues

A non-password protected backup is taken if the ConvertTo-SecureString function fails while using the Backup-CARoleService with the -Password parameter.

Common errors

Action	Error	Comment
Restore-CARoleService C:\ADCSBackup	Restore-CARoleService : The process cannot access the file because it is being used by another process. (Exception from HRESULT: 0x80070020)	Stop the Active Directory Certificate Services service prior to running the Restore-CARoleService cmdlet
Restore-CARoleService C:\ADCSBackup	Restore-CARoleService : The directory is not empty. (Exception from HRESULT: 0x80070091)	Use the -Force parameter to overwrite preexisting keys
Backup-CARoleService C:\ADCSBackup -Password (Read-Host -Prompt "Password:" -AsSecureString) -DatabaseOnly	Backup-CARoleService : Parameter set cannot be resolved using the specified named parameters.	The -Password parameter is only used to password protect private keys and is therefore invalid when you are not backing them up
Restore-CARoleService C:\ADCSBack15 -Password (Read-Host -Prompt "Password:" -AsSecureString) -DatabaseOnly	Restore-CARoleService : Parameter set cannot be resolved using the specified named parameters.	The -Password parameter is only used to password protect private keys and is therefore invalid when you are not restoring them
Restore-CARoleService C:\ADCSBack14 -Password (Read-Host -Prompt "Password:" -AsSecureString)	Restore-CARoleService : The system cannot find the file specified. (Exception from HRESULT: 0x80070002)	The path specified does not contain a valid database backup. Perhaps the path is invalid or the backup was taken with the -KeysOnly option?

Additional Resources

Active Directory Certificate Services Migration Guide

Backing up a CA database and private key

Restoring the CA database and configuration on the destination server

Try This: Backup the CA in your lab using Windows PowerShell

Use the commands in this lesson to backup the CA database and private key secured with a password.
Hold off on the restore of the CA at this time.

Which option will allow private keys to be locked away and then restored if the user's private key is lost?

By using key archival, private keys can be locked away and restored if the user's private key is lost.

What tool can a user use to request certificates that are not configured for autoenrollment?

Users can request certificates that aren't configured for autoenrollment by using the Certificates snap-in.

Which acronym best describes a document that describes how a CA issues certificate?

Certificate practice statement (CPS) A document describing how a CA issues certificates containing the CA identity, security practices used to maintain CA integrity, types of certificates issued, the renewal policy, and so forth.

Which type of cryptography provides the most security?

The Advanced Encryption Standard, AES, is a symmetric encryption algorithm and one of the most secure. The United States Government use it to protect classified information, and many software and hardware products use it as well.