| Backing up Windows Server 2003 systems requires only a small amount of knowledge to perform the few backup tasks. More information is necessary when it comes to recovery, however, because of two distinct reasons: Several Windows Server 2003 services can be restored to a previous configuration without affecting the entire system, and others have special restore requirements. Repairing Certificate Services When a server running Certificate Services needs to be recovered, the Certificate server and database can normally be recovered using a system state restore. If the server was recovered using a clean installation with the same server name, the system must not join the domain at first. The system state must be restored to recover the computer account SID for the certificate server. If the CA server system state has not been backed up or cannot be restored properly, the CA may not be recoverable. When the CA service is recovered using a system state restore, the certificate database can be recovered if the correct version was not restored already. To restore the Certification Authority if the database is corrupted or if an issued certificate is deleted by mistake, the administrator should restore the CA database. If the Certification Authority does not start or cannot issue certificates properly, the CA private key and CA certificate should be restored. Only if the Certification Authority was previously backed up as outlined in Chapter 32 can the CA database be restored independently of a system state restore. The following sections assume that a previous backup was performed and saved to the c:\CaBackup directory of the CA server. Restoring the CA Private Key and CA Certificate To restore the CA private key and CA certificate, perform the following steps: 1. | Log on to the Certification Authority server using an account with Local Administrator rights.
| 2. | Click Start, All Programs, Administrative Tools, Certification Authority.
| 3. | Expand the Certification Authority server and select the correct CA.
| 4. | Select Actions, All Tasks, Restore CA.
| 5. | A pop-up message appears stating that Certificate Services will need to be stopped during this operation. Click OK to stop the service.
| 6. | Click Next on the Certification Authority Restore Wizard Welcome screen.
| 7. | On the Items to Restore page, check the Private Key and CA Certificate boxes, type in the path of the backup folder, and click Next.
| 8. | Enter the password previously specified during the CA private key and certificate backup process.
| 9. | On the Completing the Certification Authority Restore Wizard page, click Finish to restore the private key and certificate and restart the Certification Authority service.
| 10. | In the Certification Authority window, right-click Certification Authority and select Properties.
| 11. | On the General tab of the CA's property page, verify that the correct certificate was restored. Then click OK to close the CA property pages, close the Certification Authority console, and log off the server.
|
Restoring the CA Database The CA database will be restored more often than the CA private key and certificate will be restored, although it may not be necessary very often. The CA database may need to be restored if a user's or machine's certificate was revoked mistakenly and needs to be recovered. Also, if the certificate database is corrupted, the database could be recovered to a previous state. When a database is recovered, any new certificates that were issued after the backup was performed will become invalid. Users and computers issued these certificates may need to request new certificates and may not be able to recover encrypted data. To avoid this problem, the administrator needs to back up the certificate database frequently using a system state backup. As a best practice, CA servers should be deployed on member servers to simplify the restore process. To restore the CA database from a previous backup, perform the following steps: 1. | Log on to the Certification Authority server using an account with Local Administrator rights.
| 2. | Click Start, All Programs, Administrative Tools, Certification Authority.
| 3. | Expand the Certification Authority server and select the correct CA.
| 4. | Select Actions, All Tasks, Restore CA.
| 5. | A pop-up message appears stating that Certificate Services will need to be stopped during this operation. Click OK to stop the service.
| 6. | Click Next on the Certification Authority Restore Wizard Welcome screen.
| 7. | On the Items to Restore page, check the Certificate Database and Certificate Database Log box and type in the path of the backup folder, as shown in Figure 33.2. Then click Next.
Figure 33.2. Restoring the certificate database from a backup folder. 
| 8. | On the Completing the Certification Authority Restore Wizard page, click Finish to restore the certificate database and certificate database log and restart the Certification Authority service.
| 9. | After the restore is complete, a pop-up window appears asking you to start Certificate Services. If additional incremental restores are necessary, click No and continue the restore process; otherwise, click Yes.
| | | 10. | In the Certification Authority window, select the revoked certificates, issued certificates, or other locations to ensure that the correct database has been restored. Then click OK to close the CA property pages, close the Certification Authority console, and log off the server.
|
Re-establishing Dynamic Host Configuration Protocol If a previous backup of the Dynamic Host Configuration Protocol (DHCP) database was performed manually using the DHCP console or if the default 60-minute database backup is being used, the following steps will restore a DHCP database to the original DHCP or an alternate DHCP server. The DHCP restore will restore server options, scopes, and scope options, including reservations, address leases, and address pools. The DHCP data will be restored in its entirety. If only a single lost configuration needs to be restoredfor example, a reservationthe DHCP data can be restored to an alternate server with the DHCP service installed. This server does not need to be authorized in the forest. When the DHCP data is restored, the reservation information can be recorded and manually recreated on the original DHCP server. To restore DHCP data to the original or an alternate DHCP server, follow these steps: 1. | If a system was restored using a clean installation or ASR and the system state was restored, the DHCP data will have be restored. If a configuration change in the DHCP needs to be rolled back, proceed to the next step.
| 2. | Locate the previously backed-up DHCP data, which by default is located in the c:\Windows\system32\dhcp\backup folder. If this folder does not exist on the local system, restore the folder from a previous backup to an alternate locationfor example, c:\dhcprestore\.
| 3. | Log on to the desired DHCP server using an account with Local and Domain Administrator permissions.
| 4. | Click Start, All Programs, Administrative Tools, DHCP.
| 5. | If the desired DHCP server is not listed, right-click DHCP in the left pane and choose Add Server.
| 6. | Type in the fully qualified domain name of the desired DHCP server and click OK.
| | | 7. | When the server is listed in the window, select and right-click the server. Then select Restore, as shown in Figure 33.3.
Figure 33.3. Restoring the DHCP data. 
| 8. | In the Browse for Folder window that is displayed, locate the previously backed-up DHCP data, select the folder, and click OK. This DHCP backup folder will be accessed on the local system drive in the %systemroot%\system32\dhcp\backup folder or in an alternate restore folder.
| | | 9. | A pop-up message appears stating that the DHCP service will need to be stopped and restarted for changes to take effect. Click Yes to restore the data and restart the DHCP server.
| 10. | When the restore is complete, you might need to refresh the DHCP console. Select Action, Refresh, if necessary, to view changes.
| 11. | To verify operation, boot up a DHCP client and check for proper addressing information and scope options. Also, check to ensure that reservations, if used, have been restored to the DHCP server configuration.
| 12. | Close the DHCP console and log off the server.
|
Note The DHCPExim utility can be used to quickly export and import DHCP configuration information to a file for safekeeping. This tool can be downloaded from Microsoft's Web site at http://www.microsoft.com/windows2000/techinfo/reskit/tools/new/dhcpexim-o.asp.
Windows Internet Naming Service When the Windows Internet Naming Service (WINS) needs to be recovered from a previous backup, it can be recovered only from a system state backup or using the last-saved WINS backup store in the %systemroot%\system32\WINS\Backup folder. The default for WINS server backup is during system shutdown. If more frequent backups are necessary, perform the backup as outlined in the "Creating Regular Backup Procedures" section in Chapter 32. To restore the WINS data, follow these steps: 1. | Log on to the WINS server using an account with Local Administrator access.
| 2. | Click Start, All Programs, Administrative Tools, WINS.
| 3. | If the local WINS server does not appear in the window, right-click WINS in the left pane and select Add Server.
| 4. | Type in the NetBIOS or fully qualified domain name of the WINS server and click OK.
| 5. | Select the WINS server in the left pane.
| 6. | Right-click the WINS server, select All Tasks, and then select Stop to stop the WINS service, as shown in Figure 33.4.
Figure 33.4. Stopping the WINS service. 
| 7. | After the service is stopped, right-click the server icon and select Restore Database.
| 8. | In the Browse for Folder window that is displayed, locate the previously backed-up WINS data, select the folder, and click OK.
| 9. | After the restore is complete, the WINS service is automatically restarted. Verify that the correct WINS configurations and records have been restored.
| 10. | Troubleshoot as necessary, close the WINS console, and log off the server.
|
Recovering Domain Name System Domain name system (DNS) zones can be created or restored using zone files created on Windows Server 2003 or from other DNS systems. Because dynamic Active Directoryintegrated zones do not store a copy of the data in a backup file, these zones can be simply re-created and the servers and workstations will repopulate the data within. Entries manually entered in the Active Directoryintegrated zones will need to be manually re-created. This is why multiple Active Directory DNS servers are desired to provide redundancy. To restore standard primary zones from a backup file, simply create a new forward or reverse lookup zone but specify to create it using the existing backup file. Creating new zones on Windows 2003 DNS is covered in Chapter 9, "The Domain Name System." |
