System state backup does not include CA private keys in Windows Server 2008 or in Windows Server 2008 R2

Article translations Article translations
Article ID: 2603469 - View products that this article applies to.
Expand all | Collapse all

On This Page

Symptoms

Assume that you use the Windows Server Backup feature to perform a system state backup on a computer that is running Windows Server 2008 or Windows Server 2008 R2. The computer has the Active Directory Certificate Services (AD CS) server role installed. In this situation, the certification authority (CA) private keys are not included in the system state backup image. Therefore, the CA private keys are unavailable when the system state is restored, and this leads to an outage of the public key infrastructure (PKI).

Cause

The issue occurs because the location where the CA private keys are stored is missing from the metadata list for system state backup.

More information

Update information

How to obtain this update

This update is available from the Microsoft Update website:
http://update.microsoft.com
The following files are available for download from the Microsoft Download Center:
Collapse this tableExpand this table
Operating systemUpdate
All supported x86-based versions of Windows Server 2008
Collapse this imageExpand this image
Download
Download the update package now.
All supported x64-based versions of Windows Server 2008
Collapse this imageExpand this image
Download
Download the update package now.
All supported x64-based versions of Windows Server 2008 R2
Collapse this imageExpand this image
Download
Download the update package now.
For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Prerequisites

To apply this update, you must be running one of the following operating systems:
  • Windows Server 2008 Service Pack 2 (SP2)
  • Windows Server 2008 R2
  • Windows Server 2008 R2 Service Pack 1 (SP1)
For more information about how to obtain a Windows Server 2008 service pack, click the following article number to view the article in the Microsoft Knowledge Base:
968849 How to obtain the latest service pack for Windows Server 2008
For more information about how to obtain a Windows 7 or Windows Server 2008 R2 service pack, click the following article number to view the article in the Microsoft Knowledge Base:
976932 Information about Service Pack 1 for Windows 7 and for Windows Server 2008 R2

Registry information

To apply the update in this package, you do not have to make any changes to the registry.

Restart requirement

You do not have to restart the computer after you apply this update. To avoid restarting, stop the AD CS service before you install the hotfix.

Update replacement information

This update does not replace a previously released update.

File information

The global version of this update installs files that have the attributes that are listed in the following tables. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files.
Windows Server 2008 file information notes
  • The files that apply to a specific product, SR_Level (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table.
    Collapse this tableExpand this table
    VersionProductSR_LevelService branch
    6.0.600 2 . 18xxxWindows Server 2008SP2GDR
    6.0.600 2 . 22xxxWindows Server 2008SP2LDR
  • GDR service branches contain only those fixes that are widely released to address widespread, extremely important issues. LDR service branches contain hotfixes in addition to widely released fixes.
  • The MANIFEST files (.manifest) and the MUM files (.mum) that are installed for each environment are listed separately in the "Additional file information for Windows Server 2008" section. MUM files and MANIFEST files, and the associated security catalog (.cat) files, are extremely important to maintain the state of the updated components. The security catalog files, for which the attributes are not listed, are signed with a Microsoft digital signature.
For all supported x86-based versions of Windows Server 2008
Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatform
Cryptsvc.dll6.0.6002.18553130,04819-Dec-201115:54x86
Cryptsvc.dll6.0.6002.22758132,09619-Dec-201116:05x86
For all supported x64-based versions of Windows Server 2008
Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatform
Cryptsvc.dll6.0.6002.18553167,93619-Dec-201116:33x64
Cryptsvc.dll6.0.6002.22758171,00819-Dec-201116:20x64
Cryptsvc.dll6.0.6002.18553130,04819-Dec-201115:54x86
Cryptsvc.dll6.0.6002.22758132,09619-Dec-201116:05x86
Windows Server 2008 R2 file information notes
  • The files that apply to a specific product, SR_Level (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table.
    Collapse this tableExpand this table
    VersionProductSR_LevelService branch
    6.1.760 0 . 16xxxWindows Server 2008 R2RTMGDR
    6.1.760 0 . 21xxxWindows Server 2008 R2RTMLDR
    6.1.760 1 . 17xxxWindows Server 2008 R2SP1GDR
    6.1.760 1 . 21xxxWindows Server 2008 R2SP1LDR
  • GDR service branches contain only those fixes that are widely released to address widespread, extremely important issues. LDR service branches contain hotfixes in addition to widely released fixes.
  • The MANIFEST files (.manifest) and the MUM files (.mum) that are installed for each environment are listed separately in the "Additional file information for Windows Server 2008 R2" section. MUM and MANIFEST files, and the associated security catalog (.cat) files, are extremely important to maintain the state of the updated components. The security catalog files, for which the attributes are not listed, are signed with a Microsoft digital signature.
For all supported x64-based versions of Windows Server 2008 R2
Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatform
Cryptsvc.dll6.1.7600.16932176,12820-Dec-201106:28x64
Cryptsvc.dll6.1.7600.21110177,66420-Dec-201106:26x64
Cryptsvc.dll6.1.7601.17746177,66420-Dec-201106:42x64
Cryptsvc.dll6.1.7601.21880177,66420-Dec-201106:16x64
Cryptsvc.dll6.1.7600.16932136,19220-Dec-201105:44x86
Cryptsvc.dll6.1.7600.21110137,21620-Dec-201105:34x86
Cryptsvc.dll6.1.7601.17746136,70420-Dec-201105:35x86
Cryptsvc.dll6.1.7601.21880136,70420-Dec-201107:00x86
For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

Workaround

To work around the issue, use one of the following methods:
  • At a command prompt on the certification authority, perform a full CA backup by using the certutil –backupKey destination folder command. You are prompted for a password to assign to the CA key p12 file.
  • By using the Certification Authority Administrative Tool, right-click the CA, point to All Tasks, and then click Backup CA. The wizard prompts you to select the private key that you want to back up, and then it prompts you to create a password to assign to the key.

Additional file information

Additional file information for Windows Server 2008

Additional files for all supported x86-based versions of Windows Server 2008
Collapse this tableExpand this table
File nameUpdate-bf.mum
File versionNot Applicable
File size3,011
Date (UTC)20-Dec-2011
Time (UTC)05:41
PlatformNot Applicable
File nameUpdate.mum
File versionNot Applicable
File size3,078
Date (UTC)20-Dec-2011
Time (UTC)05:40
PlatformNot Applicable
File nameX86_753ab6e75f481b0d3cf95da3d5973821_31bf3856ad364e35_6.0.6002.18553_none_e876129d550f9a0e.manifest
File versionNot Applicable
File size700
Date (UTC)20-Dec-2011
Time (UTC)05:40
PlatformNot Applicable
File nameX86_91ee1603da3b46d374e756d952864d25_31bf3856ad364e35_6.0.6002.22758_none_6fa06d475e3ea7e9.manifest
File versionNot Applicable
File size700
Date (UTC)20-Dec-2011
Time (UTC)05:40
PlatformNot Applicable
File nameX86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.0.6002.18553_none_77b30bbe981b63ff.manifest
File versionNot Applicable
File size7,489
Date (UTC)19-Dec-2011
Time (UTC)16:18
PlatformNot Applicable
File nameX86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.0.6002.22758_none_7841abe1b1347fa3.manifest
File versionNot Applicable
File size7,489
Date (UTC)19-Dec-2011
Time (UTC)16:28
PlatformNot Applicable
Additional files for all supported x64-based versions of Windows Server 2008
Collapse this tableExpand this table
File nameAmd64_3334123462a7d40d945371572da392cc_31bf3856ad364e35_6.0.6002.18553_none_cce473565e6ef072.manifest
File versionNot Applicable
File size1,048
Date (UTC)20-Dec-2011
Time (UTC)05:40
PlatformNot Applicable
File nameAmd64_cdd76e897d054bf59b597c93cc8cc7e1_31bf3856ad364e35_6.0.6002.22758_none_961c989222682c78.manifest
File versionNot Applicable
File size1,048
Date (UTC)20-Dec-2011
Time (UTC)05:40
PlatformNot Applicable
File nameAmd64_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.0.6002.18553_none_d3d1a7425078d535.manifest
File versionNot Applicable
File size7,523
Date (UTC)19-Dec-2011
Time (UTC)16:59
PlatformNot Applicable
File nameAmd64_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.0.6002.22758_none_d46047656991f0d9.manifest
File versionNot Applicable
File size7,523
Date (UTC)19-Dec-2011
Time (UTC)16:41
PlatformNot Applicable
File nameUpdate-bf.mum
File versionNot Applicable
File size3,035
Date (UTC)20-Dec-2011
Time (UTC)05:41
PlatformNot Applicable
File nameUpdate.mum
File versionNot Applicable
File size3,102
Date (UTC)20-Dec-2011
Time (UTC)05:40
PlatformNot Applicable
File nameX86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.0.6002.18553_none_77b30bbe981b63ff.manifest
File versionNot Applicable
File size7,489
Date (UTC)19-Dec-2011
Time (UTC)16:18
PlatformNot Applicable
File nameX86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.0.6002.22758_none_7841abe1b1347fa3.manifest
File versionNot Applicable
File size7,489
Date (UTC)19-Dec-2011
Time (UTC)16:28
PlatformNot Applicable

Additional file information for Windows Server 2008 R2

Additional files for all supported x64-based versions of Windows Server 2008 R2
Collapse this tableExpand this table
File nameAmd64_50fb6535581c2c8eef32a17116303d95_31bf3856ad364e35_6.1.7601.21880_none_5467d6f3c32663b7.manifest
File versionNot Applicable
File size702
Date (UTC)20-Dec-2011
Time (UTC)18:32
PlatformNot Applicable
File nameAmd64_5cfac1d91f38c5b3ce6bd03700df1f8f_31bf3856ad364e35_6.1.7600.16932_none_5a30150255630738.manifest
File versionNot Applicable
File size702
Date (UTC)20-Dec-2011
Time (UTC)18:32
PlatformNot Applicable
File nameAmd64_7314fdbb749f2899eebead77eb8abb55_31bf3856ad364e35_6.1.7600.21110_none_390b09ca6cb9dd03.manifest
File versionNot Applicable
File size704
Date (UTC)20-Dec-2011
Time (UTC)18:32
PlatformNot Applicable
File nameAmd64_7c1148cda10a17f12c2909be7733a8a3_31bf3856ad364e35_6.1.7600.16932_none_10219ac9f9cbe470.manifest
File versionNot Applicable
File size704
Date (UTC)20-Dec-2011
Time (UTC)18:32
PlatformNot Applicable
File nameAmd64_8915ea29997160c17721555ce4ec3ed8_31bf3856ad364e35_6.1.7601.21880_none_0730b04b0a20d01b.manifest
File versionNot Applicable
File size704
Date (UTC)20-Dec-2011
Time (UTC)18:32
PlatformNot Applicable
File nameAmd64_8a95dd5b41f48493ed341cce9979eab8_31bf3856ad364e35_6.1.7601.17746_none_57de0256824d3362.manifest
File versionNot Applicable
File size704
Date (UTC)20-Dec-2011
Time (UTC)18:32
PlatformNot Applicable
File nameAmd64_907c8e88f8ce815a3e930c87223d157d_31bf3856ad364e35_6.1.7600.21110_none_4afe452d78d6e697.manifest
File versionNot Applicable
File size702
Date (UTC)20-Dec-2011
Time (UTC)18:32
PlatformNot Applicable
File nameAmd64_97c377e5b7b89bb6d232021fa6b98536_31bf3856ad364e35_6.1.7600.21110_none_e894f5957c32e5b8.manifest
File versionNot Applicable
File size1,048
Date (UTC)20-Dec-2011
Time (UTC)18:32
PlatformNot Applicable
File nameAmd64_ba68d6e1b50b4d87e95ad29a735a179b_31bf3856ad364e35_6.1.7601.17746_none_2d32d75398dd81ef.manifest
File versionNot Applicable
File size1,048
Date (UTC)20-Dec-2011
Time (UTC)18:32
PlatformNot Applicable
File nameAmd64_c05e046acc01d12ac584e9eab22c1428_31bf3856ad364e35_6.1.7601.17746_none_a1bac12d53e98bfa.manifest
File versionNot Applicable
File size702
Date (UTC)20-Dec-2011
Time (UTC)18:32
PlatformNot Applicable
File nameAmd64_ced66bb488209af9e4d8d27d9e01e9be_31bf3856ad364e35_6.1.7601.21880_none_bbfe332766699cb8.manifest
File versionNot Applicable
File size1,048
Date (UTC)20-Dec-2011
Time (UTC)18:32
PlatformNot Applicable
File nameAmd64_e59f8098c1d4b5d59d3e50c928ab3de8_31bf3856ad364e35_6.1.7600.16932_none_0b3b8734050e67cb.manifest
File versionNot Applicable
File size1,048
Date (UTC)20-Dec-2011
Time (UTC)18:32
PlatformNot Applicable
File nameAmd64_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7600.16932_none_d227a52db45a6bc0.manifest
File versionNot Applicable
File size2,393
Date (UTC)20-Dec-2011
Time (UTC)07:14
PlatformNot Applicable
File nameAmd64_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7600.21110_none_d2c4b95ecd69d43c.manifest
File versionNot Applicable
File size2,393
Date (UTC)20-Dec-2011
Time (UTC)07:04
PlatformNot Applicable
File nameAmd64_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7601.17746_none_d407336fb18558f9.manifest
File versionNot Applicable
File size2,393
Date (UTC)20-Dec-2011
Time (UTC)07:21
PlatformNot Applicable
File nameAmd64_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7601.21880_none_d45f8ececac8d07d.manifest
File versionNot Applicable
File size2,393
Date (UTC)20-Dec-2011
Time (UTC)08:13
PlatformNot Applicable
File nameUpdate-bf.mum
File versionNot Applicable
File size3,981
Date (UTC)20-Dec-2011
Time (UTC)18:32
PlatformNot Applicable
File nameUpdate.mum
File versionNot Applicable
File size4,059
Date (UTC)20-Dec-2011
Time (UTC)18:32
PlatformNot Applicable
File nameX86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7600.16932_none_760909a9fbfcfa8a.manifest
File versionNot Applicable
File size2,389
Date (UTC)20-Dec-2011
Time (UTC)06:19
PlatformNot Applicable
File nameX86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7600.21110_none_76a61ddb150c6306.manifest
File versionNot Applicable
File size2,389
Date (UTC)20-Dec-2011
Time (UTC)06:11
PlatformNot Applicable
File nameX86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7601.17746_none_77e897ebf927e7c3.manifest
File versionNot Applicable
File size2,389
Date (UTC)20-Dec-2011
Time (UTC)06:13
PlatformNot Applicable
File nameX86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7601.21880_none_7840f34b126b5f47.manifest
File versionNot Applicable
File size2,389
Date (UTC)20-Dec-2011
Time (UTC)07:39
PlatformNot Applicable

Properties

Article ID: 2603469 - Last Review: June 18, 2013 - Revision: 4.0
Applies to
  • Windows Server 2008 Datacenter
  • Windows Server 2008 Datacenter without Hyper-V
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Enterprise without Hyper-V
  • Windows Server 2008 Foundation
  • Windows Server 2008 R2 Datacenter
  • Windows Server 2008 R2 Enterprise
  • Windows Server 2008 R2 Foundation
  • Windows Server 2008 R2 Standard
  • Windows Server 2008 Standard
  • Windows Server 2008 Standard without Hyper-V
Keywords: 
kbfix kbsurveynew kbexpertiseinter atdownload KB2603469

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com