You have a server named Server1 that has the Active Directory Certificate Services server role installed.
Server1 uses a hardware security module (HSM) to protect the private key of Server1.
You need to ensure that the Active Directory Certificate Services (AD CS) database, log files, and private key are backed up.
You perform regular backups of the HSM module by using a backup utility provided by the HSM manufacturer.
What else should you do?
A.
Run the certutil.exe command and specify the -backupkey parameter.
B.
Run the certutil.exe command and specify the -backupdb parameter.
C.
Run the certutil.exe command and specify the -backup parameter.
D.
Run the certutil.exe command and specify the -dump parameter.
Explanation:
A)
Backup the Active Directory Certificate Services certificate and private key
B)
Backup the Active Directory Certificate Services database
C)
Backup Active Directory Certificate Services
D)
Dump configuration information or files
http://technet.microsoft.com/en-us/library/cc732443.aspx#BKMK_backupKey
http://technet.microsoft.com/en-us/library/cc732443.aspx#BKMK_backupDB
http://technet.microsoft.com/en-us/library/cc732443.aspx#BKMK_backup
http://technet.microsoft.com/library/cc732443.aspx#BKMK_dump
The correct answer is C
certutil /backupdb only backs up the database.
certutil /backup backs up the database as well as the certificate and private key.
0
0
both can backup the logs as well, with the keep log option
0
0
So the HSM utility is backing up the key only. Meaning we need the db and log files too.
Essentially we need the whole package.
C seems most appropriate. Because it backs up all the components.
0
0
-backupDB
CertUtil -backupDB [KeepLog]
Backup Active Directory Certificate Services database
KeepLog: preserve database log files (default is to truncate log files)
-backup
CertUtil -backup [KeepLog]
Backup Active Directory Certificate Services
KeepLog: preserve database log files (default is to truncate log files)
certutil backup also includes the CA certificate including private in the backup, that is the only difference between the two commands
so basically C is right, but only because we want the private key, otherwise it could be either
0
0
Server1 uses a hardware security module (HSM) to protect the private key of Server1.My question is: “IS IT POSSIBLE FOR CERTUTIL TO BACKUP THE KEY” OR WE ARE JUST RELYING ON THE BACKUP PERFORMED BY THE BACKUP UTILITY PROVIDED BY HSM MANUFACTURER.
I will go with B since the certificate is protected by the HSM and is being backed up regularly.
Running this certutil /backup backs up the database as well as the certificate and private key but the cmd won’t find the private key since its protected by the HSM l guess.
1
0