System state backup does not include CA private keys in Windows Server 2008 or in Windows Server 2008 R2

Symptoms

Assume that you use the Windows Server Backup feature to perform a system state backup on a computer that is running Windows Server 2008 or Windows Server 2008 R2. The computer has the Active Directory Certificate Services (AD CS) server role installed. In this situation, the certification authority (CA) private keys are not included in the system state backup image. Therefore, the CA private keys are unavailable when the system state is restored, and this leads to an outage of the public key infrastructure (PKI).

Cause

The issue occurs because the location where the CA private keys are stored is missing from the metadata list for system state backup.

More Information

Update information

How to obtain this update

This update is available from the Microsoft Update website:

http://update.microsoft.comThe following files are available for download from the Microsoft Download Center:

Operating system

Update

All supported x86-based versions of Windows Server 2008

Download Download the update package now.

All supported x64-based versions of Windows Server 2008

Download Download the update package now.

All supported x64-based versions of Windows Server 2008 R2

Download Download the update package now.

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Prerequisites

To apply this update, you must be running one of the following operating systems:

  • Windows Server 2008 Service Pack 2 (SP2)

  • Windows Server 2008 R2

  • Windows Server 2008 R2 Service Pack 1 (SP1)

For more information about how to obtain a Windows Server 2008 service pack, click the following article number to view the article in the Microsoft Knowledge Base:

968849 How to obtain the latest service pack for Windows Server 2008

For more information about how to obtain a Windows 7 or Windows Server 2008 R2 service pack, click the following article number to view the article in the Microsoft Knowledge Base:

976932 Information about Service Pack 1 for Windows 7 and for Windows Server 2008 R2

Registry information

To apply the update in this package, you do not have to make any changes to the registry.

Restart requirement

You do not have to restart the computer after you apply this update. To avoid restarting, stop the AD CS service before you install the hotfix.

Update replacement information

This update does not replace a previously released update.

File information

The global version of this update installs files that have the attributes that are listed in the following tables. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files.

Windows Server 2008 file information notes
  • The files that apply to a specific product, SR_Level (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table.

    Version

    Product

    SR_Level

    Service branch

    6.0.600
    2.
    18xxx

    Windows Server 2008

    SP2

    GDR

    6.0.600
    2.
    22xxx

    Windows Server 2008

    SP2

    LDR

  • GDR service branches contain only those fixes that are widely released to address widespread, extremely important issues. LDR service branches contain hotfixes in addition to widely released fixes.

  • The MANIFEST files (.manifest) and the MUM files (.mum) that are installed for each environment are listed separately in the "Additional file information for Windows Server 2008" section. MUM files and MANIFEST files, and the associated security catalog (.cat) files, are extremely important to maintain the state of the updated components. The security catalog files, for which the attributes are not listed, are signed with a Microsoft digital signature.

For all supported x86-based versions of Windows Server 2008

File name

File version

File size

Date

Time

Platform

Cryptsvc.dll

6.0.6002.18553

130,048

19-Dec-2011

15:54

x86

Cryptsvc.dll

6.0.6002.22758

132,096

19-Dec-2011

16:05

x86

For all supported x64-based versions of Windows Server 2008

File name

File version

File size

Date

Time

Platform

Cryptsvc.dll

6.0.6002.18553

167,936

19-Dec-2011

16:33

x64

Cryptsvc.dll

6.0.6002.22758

171,008

19-Dec-2011

16:20

x64

Cryptsvc.dll

6.0.6002.18553

130,048

19-Dec-2011

15:54

x86

Cryptsvc.dll

6.0.6002.22758

132,096

19-Dec-2011

16:05

x86

Windows Server 2008 R2 file information notes


  • The files that apply to a specific product, SR_Level (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table.

    Version

    Product

    SR_Level

    Service branch

    6.1.760
    0.
    16xxx

    Windows Server 2008 R2

    RTM

    GDR

    6.1.760
    0.
    21xxx

    Windows Server 2008 R2

    RTM

    LDR

    6.1.760
    1.
    17xxx

    Windows Server 2008 R2

    SP1

    GDR

    6.1.760
    1.
    21xxx

    Windows Server 2008 R2

    SP1

    LDR

  • GDR service branches contain only those fixes that are widely released to address widespread, extremely important issues. LDR service branches contain hotfixes in addition to widely released fixes.

  • The MANIFEST files (.manifest) and the MUM files (.mum) that are installed for each environment are listed separately in the "Additional file information for Windows Server 2008 R2" section. MUM and MANIFEST files, and the associated security catalog (.cat) files, are extremely important to maintain the state of the updated components. The security catalog files, for which the attributes are not listed, are signed with a Microsoft digital signature.

For all supported x64-based versions of Windows Server 2008 R2

File name

File version

File size

Date

Time

Platform

Cryptsvc.dll

6.1.7600.16932

176,128

20-Dec-2011

06:28

x64

Cryptsvc.dll

6.1.7600.21110

177,664

20-Dec-2011

06:26

x64

Cryptsvc.dll

6.1.7601.17746

177,664

20-Dec-2011

06:42

x64

Cryptsvc.dll

6.1.7601.21880

177,664

20-Dec-2011

06:16

x64

Cryptsvc.dll

6.1.7600.16932

136,192

20-Dec-2011

05:44

x86

Cryptsvc.dll

6.1.7600.21110

137,216

20-Dec-2011

05:34

x86

Cryptsvc.dll

6.1.7601.17746

136,704

20-Dec-2011

05:35

x86

Cryptsvc.dll

6.1.7601.21880

136,704

20-Dec-2011

07:00

x86

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:

824684 Description of the standard terminology that is used to describe Microsoft software updates

To work around the issue, use one of the following methods:

  • At a command prompt on the certification authority, perform a full CA backup by using the certutil –backupKey destination folder command. You are prompted for a password to assign to the CA key p12 file.

  • By using the Certification Authority Administrative Tool, right-click the CA, point to All Tasks, and then click Backup CA. The wizard prompts you to select the private key that you want to back up, and then it prompts you to create a password to assign to the key.

Additional file information

Additional file information for Windows Server 2008

Additional files for all supported x86-based versions of Windows Server 2008

File name

Update-bf.mum

File version

Not Applicable

File size

3,011

Date (UTC)

20-Dec-2011

Time (UTC)

05:41

Platform

Not Applicable

File name

Update.mum

File version

Not Applicable

File size

3,078

Date (UTC)

20-Dec-2011

Time (UTC)

05:40

Platform

Not Applicable

File name

X86_753ab6e75f481b0d3cf95da3d5973821_31bf3856ad364e35_6.0.6002.18553_none_e876129d550f9a0e.manifest

File version

Not Applicable

File size

700

Date (UTC)

20-Dec-2011

Time (UTC)

05:40

Platform

Not Applicable

File name

X86_91ee1603da3b46d374e756d952864d25_31bf3856ad364e35_6.0.6002.22758_none_6fa06d475e3ea7e9.manifest

File version

Not Applicable

File size

700

Date (UTC)

20-Dec-2011

Time (UTC)

05:40

Platform

Not Applicable

File name

X86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.0.6002.18553_none_77b30bbe981b63ff.manifest

File version

Not Applicable

File size

7,489

Date (UTC)

19-Dec-2011

Time (UTC)

16:18

Platform

Not Applicable

File name

X86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.0.6002.22758_none_7841abe1b1347fa3.manifest

File version

Not Applicable

File size

7,489

Date (UTC)

19-Dec-2011

Time (UTC)

16:28

Platform

Not Applicable

Additional files for all supported x64-based versions of Windows Server 2008

File name

Amd64_3334123462a7d40d945371572da392cc_31bf3856ad364e35_6.0.6002.18553_none_cce473565e6ef072.manifest

File version

Not Applicable

File size

1,048

Date (UTC)

20-Dec-2011

Time (UTC)

05:40

Platform

Not Applicable

File name

Amd64_cdd76e897d054bf59b597c93cc8cc7e1_31bf3856ad364e35_6.0.6002.22758_none_961c989222682c78.manifest

File version

Not Applicable

File size

1,048

Date (UTC)

20-Dec-2011

Time (UTC)

05:40

Platform

Not Applicable

File name

Amd64_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.0.6002.18553_none_d3d1a7425078d535.manifest

File version

Not Applicable

File size

7,523

Date (UTC)

19-Dec-2011

Time (UTC)

16:59

Platform

Not Applicable

File name

Amd64_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.0.6002.22758_none_d46047656991f0d9.manifest

File version

Not Applicable

File size

7,523

Date (UTC)

19-Dec-2011

Time (UTC)

16:41

Platform

Not Applicable

File name

Update-bf.mum

File version

Not Applicable

File size

3,035

Date (UTC)

20-Dec-2011

Time (UTC)

05:41

Platform

Not Applicable

File name

Update.mum

File version

Not Applicable

File size

3,102

Date (UTC)

20-Dec-2011

Time (UTC)

05:40

Platform

Not Applicable

File name

X86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.0.6002.18553_none_77b30bbe981b63ff.manifest

File version

Not Applicable

File size

7,489

Date (UTC)

19-Dec-2011

Time (UTC)

16:18

Platform

Not Applicable

File name

X86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.0.6002.22758_none_7841abe1b1347fa3.manifest

File version

Not Applicable

File size

7,489

Date (UTC)

19-Dec-2011

Time (UTC)

16:28

Platform

Not Applicable

Additional file information for Windows Server 2008 R2

Additional files for all supported x64-based versions of Windows Server 2008 R2

File name

Amd64_50fb6535581c2c8eef32a17116303d95_31bf3856ad364e35_6.1.7601.21880_none_5467d6f3c32663b7.manifest

File version

Not Applicable

File size

702

Date (UTC)

20-Dec-2011

Time (UTC)

18:32

Platform

Not Applicable

File name

Amd64_5cfac1d91f38c5b3ce6bd03700df1f8f_31bf3856ad364e35_6.1.7600.16932_none_5a30150255630738.manifest

File version

Not Applicable

File size

702

Date (UTC)

20-Dec-2011

Time (UTC)

18:32

Platform

Not Applicable

File name

Amd64_7314fdbb749f2899eebead77eb8abb55_31bf3856ad364e35_6.1.7600.21110_none_390b09ca6cb9dd03.manifest

File version

Not Applicable

File size

704

Date (UTC)

20-Dec-2011

Time (UTC)

18:32

Platform

Not Applicable

File name

Amd64_7c1148cda10a17f12c2909be7733a8a3_31bf3856ad364e35_6.1.7600.16932_none_10219ac9f9cbe470.manifest

File version

Not Applicable

File size

704

Date (UTC)

20-Dec-2011

Time (UTC)

18:32

Platform

Not Applicable

File name

Amd64_8915ea29997160c17721555ce4ec3ed8_31bf3856ad364e35_6.1.7601.21880_none_0730b04b0a20d01b.manifest

File version

Not Applicable

File size

704

Date (UTC)

20-Dec-2011

Time (UTC)

18:32

Platform

Not Applicable

File name

Amd64_8a95dd5b41f48493ed341cce9979eab8_31bf3856ad364e35_6.1.7601.17746_none_57de0256824d3362.manifest

File version

Not Applicable

File size

704

Date (UTC)

20-Dec-2011

Time (UTC)

18:32

Platform

Not Applicable

File name

Amd64_907c8e88f8ce815a3e930c87223d157d_31bf3856ad364e35_6.1.7600.21110_none_4afe452d78d6e697.manifest

File version

Not Applicable

File size

702

Date (UTC)

20-Dec-2011

Time (UTC)

18:32

Platform

Not Applicable

File name

Amd64_97c377e5b7b89bb6d232021fa6b98536_31bf3856ad364e35_6.1.7600.21110_none_e894f5957c32e5b8.manifest

File version

Not Applicable

File size

1,048

Date (UTC)

20-Dec-2011

Time (UTC)

18:32

Platform

Not Applicable

File name

Amd64_ba68d6e1b50b4d87e95ad29a735a179b_31bf3856ad364e35_6.1.7601.17746_none_2d32d75398dd81ef.manifest

File version

Not Applicable

File size

1,048

Date (UTC)

20-Dec-2011

Time (UTC)

18:32

Platform

Not Applicable

File name

Amd64_c05e046acc01d12ac584e9eab22c1428_31bf3856ad364e35_6.1.7601.17746_none_a1bac12d53e98bfa.manifest

File version

Not Applicable

File size

702

Date (UTC)

20-Dec-2011

Time (UTC)

18:32

Platform

Not Applicable

File name

Amd64_ced66bb488209af9e4d8d27d9e01e9be_31bf3856ad364e35_6.1.7601.21880_none_bbfe332766699cb8.manifest

File version

Not Applicable

File size

1,048

Date (UTC)

20-Dec-2011

Time (UTC)

18:32

Platform

Not Applicable

File name

Amd64_e59f8098c1d4b5d59d3e50c928ab3de8_31bf3856ad364e35_6.1.7600.16932_none_0b3b8734050e67cb.manifest

File version

Not Applicable

File size

1,048

Date (UTC)

20-Dec-2011

Time (UTC)

18:32

Platform

Not Applicable

File name

Amd64_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7600.16932_none_d227a52db45a6bc0.manifest

File version

Not Applicable

File size

2,393

Date (UTC)

20-Dec-2011

Time (UTC)

07:14

Platform

Not Applicable

File name

Amd64_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7600.21110_none_d2c4b95ecd69d43c.manifest

File version

Not Applicable

File size

2,393

Date (UTC)

20-Dec-2011

Time (UTC)

07:04

Platform

Not Applicable

File name

Amd64_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7601.17746_none_d407336fb18558f9.manifest

File version

Not Applicable

File size

2,393

Date (UTC)

20-Dec-2011

Time (UTC)

07:21

Platform

Not Applicable

File name

Amd64_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7601.21880_none_d45f8ececac8d07d.manifest

File version

Not Applicable

File size

2,393

Date (UTC)

20-Dec-2011

Time (UTC)

08:13

Platform

Not Applicable

File name

Update-bf.mum

File version

Not Applicable

File size

3,981

Date (UTC)

20-Dec-2011

Time (UTC)

18:32

Platform

Not Applicable

File name

Update.mum

File version

Not Applicable

File size

4,059

Date (UTC)

20-Dec-2011

Time (UTC)

18:32

Platform

Not Applicable

File name

X86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7600.16932_none_760909a9fbfcfa8a.manifest

File version

Not Applicable

File size

2,389

Date (UTC)

20-Dec-2011

Time (UTC)

06:19

Platform

Not Applicable

File name

X86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7600.21110_none_76a61ddb150c6306.manifest

File version

Not Applicable

File size

2,389

Date (UTC)

20-Dec-2011

Time (UTC)

06:11

Platform

Not Applicable

File name

X86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7601.17746_none_77e897ebf927e7c3.manifest

File version

Not Applicable

File size

2,389

Date (UTC)

20-Dec-2011

Time (UTC)

06:13

Platform

Not Applicable

File name

X86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7601.21880_none_7840f34b126b5f47.manifest

File version

Not Applicable

File size

2,389

Date (UTC)

20-Dec-2011

Time (UTC)

07:39

Platform

Not Applicable

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

Thank you for your feedback!

×