System state backup does not include CA private keys in Windows Server 2008 or in Windows Server 2008 R2

Article ID: 2603469 - View products that this article applies to.
Expand all | Collapse all

On This Page

SYMPTOMS

Assume that you use the Windows Server Backup feature to perform a system state backup on a computer that is running Windows Server 2008 or Windows Server 2008 R2. The computer has the Active Directory Certificate Services (AD CS) server role installed. In this situation, the certification authority (CA) private keys are not included in the system state backup image. Therefore, the CA private keys are unavailable when the system state is restored, and this leads to an outage of the public key infrastructure (PKI).
Back to the top | Give Feedback

CAUSE

The issue occurs because the location where the CA private keys are stored is missing from the metadata list for system state backup.
Back to the top | Give Feedback

MORE INFORMATION

Update information

How to obtain this update

This update is available from the Microsoft Update website:
http://update.microsoft.com
(http://update.microsoft.com)
The following files are available for download from the Microsoft Download Center:
Collapse this tableExpand this table
Operating systemUpdate
All supported x86-based versions of Windows Server 2008
Collapse this imageExpand this image
Download
Download the update package now.
(http://www.microsoft.com/downloads/details.aspx?FamilyId=ff08b3cd-73d6-4a95-803d-a57bf30105ef)
All supported x64-based versions of Windows Server 2008
Collapse this imageExpand this image
Download
Download the update package now.
(http://www.microsoft.com/downloads/details.aspx?FamilyId=f174d2a9-2309-44fb-845f-cf5b17752643)
All supported x64-based versions of Windows Server 2008 R2
Collapse this imageExpand this image
Download
Download the update package now.
(http://www.microsoft.com/downloads/details.aspx?FamilyId=4385f553-ead1-4a24-bc54-4fb75087035c)
For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591
(http://support.microsoft.com/kb/119591/ )
How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Prerequisites

To apply this update, you must be running one of the following operating systems:
  • Windows Server 2008 Service Pack 2 (SP2)
  • Windows Server 2008 R2
  • Windows Server 2008 R2 Service Pack 1 (SP1)
For more information about how to obtain a Windows Server 2008 service pack, click the following article number to view the article in the Microsoft Knowledge Base:
968849
(http://support.microsoft.com/kb/968849/ )
How to obtain the latest service pack for Windows Server 2008
For more information about how to obtain a Windows 7 or Windows Server 2008 R2 service pack, click the following article number to view the article in the Microsoft Knowledge Base:
976932
(http://support.microsoft.com/kb/976932/ )
Information about Service Pack 1 for Windows 7 and for Windows Server 2008 R2

Registry information

To apply the update in this package, you do not have to make any changes to the registry.

Restart requirement

You do not have to restart the computer after you apply this update. To avoid restarting, stop the AD CS service before you install the hotfix.

Update replacement information

This update does not replace a previously released update.

File information

The global version of this update installs files that have the attributes that are listed in the following tables. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files.
Windows Server 2008 file information notes
  • The files that apply to a specific product, SR_Level (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table.
    Collapse this tableExpand this table
    VersionProductSR_LevelService branch
    6.0.600 2 . 18xxxWindows Server 2008SP2GDR
    6.0.600 2 . 22xxxWindows Server 2008SP2LDR
  • GDR service branches contain only those fixes that are widely released to address widespread, extremely important issues. LDR service branches contain hotfixes in addition to widely released fixes.
  • The MANIFEST files (.manifest) and the MUM files (.mum) that are installed for each environment are listed separately in the "Additional file information for Windows Server 2008" section. MUM files and MANIFEST files, and the associated security catalog (.cat) files, are extremely important to maintain the state of the updated components. The security catalog files, for which the attributes are not listed, are signed with a Microsoft digital signature.
For all supported x86-based versions of Windows Server 2008
Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatform
Cryptsvc.dll6.0.6002.18508130,04825-Aug-201116:10x86
Cryptsvc.dll6.0.6002.22705132,09626-Aug-201101:34x86
For all supported x64-based versions of Windows Server 2008
Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatform
Cryptsvc.dll6.0.6002.18508167,93625-Aug-201116:17x64
Cryptsvc.dll6.0.6002.22705171,52025-Aug-201123:07x64
Cryptsvc.dll6.0.6002.18508130,04825-Aug-201116:10x86
Cryptsvc.dll6.0.6002.22705132,09626-Aug-201101:34x86
Windows Server 2008 R2 file information notes
  • The files that apply to a specific product, SR_Level (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table.
    Collapse this tableExpand this table
    VersionProductSR_LevelService branch
    6.1.760 0 . 16xxxWindows Server 2008 R2RTMGDR
    6.1.760 0 . 21xxxWindows Server 2008 R2RTMLDR
    6.1.760 1 . 17xxxWindows Server 2008 R2SP1GDR
    6.1.760 1 . 21xxxWindows Server 2008 R2SP1LDR
  • GDR service branches contain only those fixes that are widely released to address widespread, extremely important issues. LDR service branches contain hotfixes in addition to widely released fixes.
  • The MANIFEST files (.manifest) and the MUM files (.mum) that are installed for each environment are listed separately in the "Additional file information for Windows Server 2008 R2" section. MUM and MANIFEST files, and the associated security catalog (.cat) files, are extremely important to maintain the state of the updated components. The security catalog files, for which the attributes are not listed, are signed with a Microsoft digital signature.
For all supported x64-based versions of Windows Server 2008 R2
Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatform
Cryptsvc.dll6.1.7600.16871176,12824-Aug-201105:33x64
Cryptsvc.dll6.1.7600.21035177,66424-Aug-201105:27x64
Cryptsvc.dll6.1.7601.17673177,66424-Aug-201105:22x64
Cryptsvc.dll6.1.7601.21798177,66425-Aug-201105:22x64
Cryptsvc.dll6.1.7600.16871136,19224-Aug-201104:30x86
Cryptsvc.dll6.1.7600.21035137,21624-Aug-201104:26x86
Cryptsvc.dll6.1.7601.17673136,70424-Aug-201104:22x86
Cryptsvc.dll6.1.7601.21798136,70425-Aug-201105:39x86
For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684
(http://support.microsoft.com/kb/824684/ )
Description of the standard terminology that is used to describe Microsoft software updates

WORKAROUND

To work around the issue, use one of the following methods:
  • At a command prompt on the certification authority, perform a full CA backup by using the certutil –backupKey destination folder command. You are prompted for a password to assign to the CA key p12 file.
  • By using the Certification Authority Administrative Tool, right-click the CA, point to All Tasks, and then click Backup CA. The wizard prompts you to select the private key that you want to back up, and then it prompts you to create a password to assign to the key.

Additional file information

Additional file information for Windows Server 2008

Additional files for all supported x86-based versions of Windows Server 2008
Collapse this tableExpand this table
File nameUpdate.mum
File versionNot Applicable
File size3,577
Date (UTC)26-Aug-2011
Time (UTC)09:41
PlatformNot Applicable
File nameX86_3f2e964db0ae04a57883d0bb3d26d88c_31bf3856ad364e35_6.0.6002.18508_none_6a22f3c2fb6b9e16.manifest
File versionNot Applicable
File size700
Date (UTC)26-Aug-2011
Time (UTC)09:41
PlatformNot Applicable
File nameX86_7ea29118fb3abef1f2bcfd91d6b54037_31bf3856ad364e35_6.0.6002.22705_none_bb5f1b5501f5ddeb.manifest
File versionNot Applicable
File size700
Date (UTC)26-Aug-2011
Time (UTC)09:41
PlatformNot Applicable
File nameX86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.0.6002.18508_none_77ee1ccc97ee56fd.manifest
File versionNot Applicable
File size7,489
Date (UTC)25-Aug-2011
Time (UTC)18:19
PlatformNot Applicable
File nameX86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.0.6002.22705_none_7874ba9fb10ea7e9.manifest
File versionNot Applicable
File size7,489
Date (UTC)26-Aug-2011
Time (UTC)02:06
PlatformNot Applicable
Additional files for all supported x64-based versions of Windows Server 2008
Collapse this tableExpand this table
File nameAmd64_28ea53fc73eec292c1c6aa22c1b3db9b_31bf3856ad364e35_6.0.6002.18508_none_aa3d6cef79133df9.manifest
File versionNot Applicable
File size1,048
Date (UTC)26-Aug-2011
Time (UTC)09:41
PlatformNot Applicable
File nameAmd64_b84f2f092affd17a42c08f6121b9b944_31bf3856ad364e35_6.0.6002.22705_none_8dbc374764b931cd.manifest
File versionNot Applicable
File size1,048
Date (UTC)26-Aug-2011
Time (UTC)09:41
PlatformNot Applicable
File nameAmd64_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.0.6002.18508_none_d40cb850504bc833.manifest
File versionNot Applicable
File size7,523
Date (UTC)25-Aug-2011
Time (UTC)18:36
PlatformNot Applicable
File nameAmd64_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.0.6002.22705_none_d4935623696c191f.manifest
File versionNot Applicable
File size7,523
Date (UTC)25-Aug-2011
Time (UTC)23:29
PlatformNot Applicable
File nameUpdate.mum
File versionNot Applicable
File size3,605
Date (UTC)26-Aug-2011
Time (UTC)09:41
PlatformNot Applicable
File nameX86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.0.6002.18508_none_77ee1ccc97ee56fd.manifest
File versionNot Applicable
File size7,489
Date (UTC)25-Aug-2011
Time (UTC)18:19
PlatformNot Applicable
File nameX86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.0.6002.22705_none_7874ba9fb10ea7e9.manifest
File versionNot Applicable
File size7,489
Date (UTC)26-Aug-2011
Time (UTC)02:06
PlatformNot Applicable

Additional file information for Windows Server 2008 R2

Additional files for all supported x64-based versions of Windows Server 2008 R2
Collapse this tableExpand this table
File nameAmd64_01945efbdd7c3c5d479ef7a96a85f826_31bf3856ad364e35_6.1.7601.17673_none_97d0d174e50cdf45.manifest
File versionNot Applicable
File size704
Date (UTC)25-Aug-2011
Time (UTC)14:15
PlatformNot Applicable
File nameAmd64_073783ffc838e35120ae452b73422743_31bf3856ad364e35_6.1.7600.21035_none_e528e4327613e25d.manifest
File versionNot Applicable
File size704
Date (UTC)25-Aug-2011
Time (UTC)14:15
PlatformNot Applicable
File nameAmd64_266b648718412f7180f5f3ab3e6a47e5_31bf3856ad364e35_6.1.7600.21035_none_a6e93b7b5e1588e8.manifest
File versionNot Applicable
File size702
Date (UTC)25-Aug-2011
Time (UTC)14:15
PlatformNot Applicable
File nameAmd64_2b766de870e86beec45b945a0d30a409_31bf3856ad364e35_6.1.7600.16871_none_806afc22dcca0c96.manifest
File versionNot Applicable
File size702
Date (UTC)25-Aug-2011
Time (UTC)14:15
PlatformNot Applicable
File nameAmd64_2fc2f55196d3baff85ed4661ba22bba6_31bf3856ad364e35_6.1.7600.16871_none_d49c4f4844636b72.manifest
File versionNot Applicable
File size704
Date (UTC)25-Aug-2011
Time (UTC)14:15
PlatformNot Applicable
File nameAmd64_4f48b01896761f5fd1930d31a7d6fb59_31bf3856ad364e35_6.1.7601.17673_none_0c80fab103ae9666.manifest
File versionNot Applicable
File size1,048
Date (UTC)25-Aug-2011
Time (UTC)14:15
PlatformNot Applicable
File nameAmd64_731f5bc8b6c09b4ca9fc037ff7b0a1c4_31bf3856ad364e35_6.1.7601.21798_none_cafd22eff21adef8.manifest
File versionNot Applicable
File size702
Date (UTC)25-Aug-2011
Time (UTC)14:15
PlatformNot Applicable
File nameAmd64_a0fe86686b04d89c7168961001292ebd_31bf3856ad364e35_6.1.7600.21035_none_09693734eb5b3ea1.manifest
File versionNot Applicable
File size1,048
Date (UTC)25-Aug-2011
Time (UTC)14:15
PlatformNot Applicable
File nameAmd64_b184af99e81a5fe5df2324d032976e86_31bf3856ad364e35_6.1.7601.21798_none_25b0ddbf0d5bd974.manifest
File versionNot Applicable
File size1,048
Date (UTC)25-Aug-2011
Time (UTC)14:15
PlatformNot Applicable
File nameAmd64_b3adfd9516dc9b291a338060c8c794a5_31bf3856ad364e35_6.1.7601.17673_none_1e2c71a9d755a35c.manifest
File versionNot Applicable
File size702
Date (UTC)25-Aug-2011
Time (UTC)14:15
PlatformNot Applicable
File nameAmd64_ef98e695631e42f1150e8dca607f0e23_31bf3856ad364e35_6.1.7601.21798_none_2641a415cede2f04.manifest
File versionNot Applicable
File size704
Date (UTC)25-Aug-2011
Time (UTC)14:15
PlatformNot Applicable
File nameAmd64_fd7c723b2df18ec0554c827058b870e3_31bf3856ad364e35_6.1.7600.16871_none_c34e0def7d3d84cf.manifest
File versionNot Applicable
File size1,048
Date (UTC)25-Aug-2011
Time (UTC)14:15
PlatformNot Applicable
File nameAmd64_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7600.16871_none_d1fb634db47bc506.manifest
File versionNot Applicable
File size2,393
Date (UTC)24-Aug-2011
Time (UTC)07:12
PlatformNot Applicable
File nameAmd64_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7600.21035_none_d2b41912cd758daa.manifest
File versionNot Applicable
File size2,393
Date (UTC)24-Aug-2011
Time (UTC)07:04
PlatformNot Applicable
File nameAmd64_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7601.17673_none_d3e3c0e7b1a063a0.manifest
File versionNot Applicable
File size2,393
Date (UTC)24-Aug-2011
Time (UTC)06:34
PlatformNot Applicable
File nameAmd64_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7601.21798_none_d45cbf4ccac9b9ff.manifest
File versionNot Applicable
File size2,393
Date (UTC)25-Aug-2011
Time (UTC)06:56
PlatformNot Applicable
File namePackage_1_for_kb2603469_bf~31bf3856ad364e35~amd64~~6.1.1.0.mum
File versionNot Applicable
File size1,791
Date (UTC)25-Aug-2011
Time (UTC)14:16
PlatformNot Applicable
File nameUpdate.mum
File versionNot Applicable
File size4,059
Date (UTC)25-Aug-2011
Time (UTC)14:15
PlatformNot Applicable
File nameX86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7600.16871_none_75dcc7c9fc1e53d0.manifest
File versionNot Applicable
File size2,389
Date (UTC)24-Aug-2011
Time (UTC)05:30
PlatformNot Applicable
File nameX86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7600.21035_none_76957d8f15181c74.manifest
File versionNot Applicable
File size2,389
Date (UTC)24-Aug-2011
Time (UTC)05:26
PlatformNot Applicable
File nameX86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7601.17673_none_77c52563f942f26a.manifest
File versionNot Applicable
File size2,389
Date (UTC)24-Aug-2011
Time (UTC)05:28
PlatformNot Applicable
File nameX86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7601.21798_none_783e23c9126c48c9.manifest
File versionNot Applicable
File size2,389
Date (UTC)25-Aug-2011
Time (UTC)06:14
PlatformNot Applicable
Back to the top | Give Feedback

Properties

Article ID: 2603469 - Last Review: February 29, 2012 - Revision: 3.0
APPLIES TO
  • Windows Server 2008 Datacenter
  • Windows Server 2008 Datacenter without Hyper-V
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Enterprise without Hyper-V
  • Windows Server 2008 Foundation
  • Windows Server 2008 R2 Datacenter
  • Windows Server 2008 R2 Enterprise
  • Windows Server 2008 R2 Foundation
  • Windows Server 2008 R2 Standard
  • Windows Server 2008 Standard
  • Windows Server 2008 Standard without Hyper-V
Keywords: 
kbfix kbsurveynew kbexpertiseinter atdownload KB2603469
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top