我想我明白了,但我想确定一下。
我们正在运行两个 Windows 2016 域控制器 (VM),其中一个正在执行证书服务器的角色。我们每天执行系统状态备份并将它们卸载到远程位置。如果出于某种原因需要完全重建带有 CA 的域控制器,我假设我可以使用最新的系统状态备份来恢复 CA,并且现有的域控制器将更新重建的服务器所有其他广告信息。这是一个正确的假设还是我应该实施 CA 特定的恢复计划?
附加信息:我正在为部署在 50 多个断开连接的环境中的系统制定基线。在这一点上,向每个站点添加另一台服务器不是我的选择。我计划同时实施系统状态和特定于 CA 的备份计划来帮助恢复,这里有一些脚本是我拼凑起来的,以帮助手动检查和自动化日常流程。
#CA Initial / Update Backup Script
$filedate = (Get-Date -format d).ToString().Replace(“/”,”-“)
#Backup / verify backup
IF ((Test-Path D:\CAbackup) -eq $False)
{
mkdir D:\CABackup
mkdir D:\CABackup\InitialBackup
Backup-CARoleService -KeyOnly D:\CABackup\InitialBackup -Password (read-host -Prompt "Assign a password for the CA Private Key" -AsSecureString)
Backup-CARoleService -DatabaseOnly D:\CABackup\InitialBackup
reg export HKLM\System\CurrentControlSet\Services\CertSvc\Configuration D:\CABackup\InitialBackUp\<filename>.reg
}
ELSEIF ((Test-Path D:\CABackup\InitialBackup) -eq $False)
{
mkdir D:\CABackup\InitialBackup
Backup-CARoleService -KeyOnly D:\CABackup\InitialBackup -Password (read-host -Prompt "Assign a password for the CA Private Key" -AsSecureString)
Backup-CARoleService -DatabaseOnly D:\CABackup\InitialBackup
reg export HKLM\System\CurrentControlSet\Services\CertSvc\Configuration D:\CABackup\InitialBackUp\<filename>.reg
}
ELSE {
IF ((Test-Path D:\CABackup\InitialBackup\database\<filename>.edb) -eq $false)
{
Backup-CARoleService -DatabaseOnly D:\CABackup\InitialBackup
}
ELSE {}
IF ((Test-Path D:\CABackup\InitialBackup\<filename>.reg) -eq $false)
{
reg export HKLM\System\CurrentControlSet\Services\CertSvc\Configuration D:\CABackup\InitialBackUp\<filename>.reg
}
ELSE {}
IF ((Test-Path D:\CABackup\InitialBackup\<filename>.p12) -eq $false)
{
Backup-CARoleService -KeyOnly D:\CABackup\InitialBackup -Password (read-host -Prompt "Assign a password for the CA Private Key" -AsSecureString)
}
ELSE
{
#Compare the backed up certificate thumbprint against the CA certificate thumbprint, if they do not match, archive the old cert and back up the current one
$catpret = certutil -adca | Select-String "Cert Hash"
$catp = $certret.Line.Substring(17)
$archtp = (Get-PfxData -FilePath d:\cabackup\Prikey\<filename>.p12).EndEntityCertificates.Thumbprint
IF ($catp -ne $archtp)
{
mv d:\cabackup\prikey\<filename>.p12 d:\cabackup\prikey\<filename>.p12.$filedate
Backup-CARoleService -DatabaseOnly D:\CABackup\InitialBackup
}
ELSE {}
}
}
#List of certificates that will expire in next 120 days
$list=@()
$na =(get-date).addDays(120)
$listofexp = certutil -view -restrict "NotAfter<=$na" -out "RequestID,RequesterName,Request Common Name,NotAfter"
$total = ($listofexp.count -10)
$f=10
$e=13
While ($e -lt $total)
{
$list += ($listofexp[$f] + $listofexp[$f+1] + $listofexp[$f+2] + $listofexp[$e])
$f = $f+6
$e = $e+6
}
#Daily backup
$filedate = (Get-Date -format d).ToString().Replace(“/”,”-“)
mkdir D:\CABackup\$filedate
Backup-CARoleService -DatabaseOnly D:\CABackup\$filedate
reg export HKLM\System\CurrentControlSet\Services\CertSvc\Configuration D:\CABackup\$fildate\<filename>.reg
#Clear 2 week and older cert requests
$list=@()
$setpurge = (get-date).AddDays(-14)
$purgedate = Get-date $setpurge -Format "MM/dd/yy"
$listofpend = certutil -view -restrict "Request Submission Date<=$purgedate,Request Disposition=9" -out "Request ID, Request Submission Date, Request Common Name"
$total = ($listofpend.count -9)
$f=9
$e=11
While ($e -lt $total)
{
$list += ($listofpend[$f] -replace '.*\(' -replace '\),*')
$f = $f+5
$e = $e+5
}
foreach ($item in $list)
{
certutil -deleterow $item
}
<#Original purge process replaced by above
$setpurge = (get-date).AddDays(-14)
$purgedate = Get-date $setpurge -Format "MM/dd/yy"
certutil -deleterow $purgedate request
#>
我已经在实验室中测试了其中的大部分内容,并在我删除一两个服务器并尝试恢复之前让样片运行一段时间。如果有人有任何额外的建议,将不胜感激。