CA 備份及還原 Windows PowerShell cmdletCA Backup and Restore Windows PowerShell cmdlets

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

作者: Justin Turner 資深支援工程師視窗群組Author: Justin Turner, Senior Support Escalation Engineer with the Windows group

注意

本文由 Microsoft 客戶支援工程師撰寫,以及適用於系統管理員經驗和系統設計師超過參考 TechNet 上的主題通常會提供深入的技術解釋的功能與 Windows Server 2012 R2 方案正在尋找。This content is written by a Microsoft customer support engineer, and is intended for experienced administrators and systems architects who are looking for deeper technical explanations of features and solutions in Windows Server 2012 R2 than topics on TechNet usually provide. 不過,尚未經歷相同編輯行程,以便某些語言的似乎比哪些通常位於 TechNet 較少的外觀。However, it has not undergone the same editing passes, so some of the language may seem less polished than what is typically found on TechNet.

概觀Overview

在視窗 Server 2012 中引進 ADCSAdministration Windows PowerShell 模組。The ADCSAdministration Windows PowerShell module was introduced in Window Server 2012. 有兩個新 cmdlet 已加入此模組在視窗 Server 2012 R2 備份與還原 CA 的支援。Two new cmdlets were added to this module in Window Server 2012 R2 to support the Backup and Restore of a CA.

  • Backup-CARoleServiceBackup-CARoleService

  • Restore-CARoleServiceRestore-CARoleService

Backup-CARoleServiceBackup-CARoleService

表格 7 表格 \\ * 阿拉伯文 17:備份及還原 Windows PowerShell CmdletTable SEQ Table \* ARABIC 17: Backup and Restore Windows PowerShell Cmdlets

ADCSAdministration Cmdlet: Backup-CARoleServiceADCSAdministration Cmdlet: Backup-CARoleService

引數-粗體所需的引數Arguments - Bold arguments are required 描述Description
路徑-Path -字串-位置要儲存的備份- String - location to save the backup
-這是唯一參數的未命名- This is the only unnamed parameter
-位置參數- positional parameter

範例:Example:

Backup-CARoleService。-Path c:\adcsbackup1Backup-CARoleService.-Path c:\adcsbackup1

Backup-CARoleService c:\adcsbackup2Backup-CARoleService c:\adcsbackup2
-KeyOnly-KeyOnly -備份不資料庫 CA 憑證- Backup the CA certificate without the database

範例:Example:

Backup-CARoleService c:\adcsbackup3-KeyOnlyBackup-CARoleService c:\adcsbackup3 -KeyOnly
密碼-Password -指定保護 CA 憑證和私密金鑰密碼- Specifies the password to protect CA certificates and private keys
-必須安全字串- Must be a secure string
-與-DatabaseOnly 參數不正確- Not valid with the -DatabaseOnly parameter

範例:Example:

Backup-CARoleService c:\adcsbackup4-密碼 (Read-Host-命令提示字元中」的密碼:「-AsSecureString)Backup-CARoleService c:\adcsbackup4 -Password (Read-Host -prompt "Password:" -AsSecureString)

Backup-CARoleService c:\adcsbackup5-密碼 (ConvertTo-SecureString」Pa55w0rd」!Backup-CARoleService c:\adcsbackup5 -Password (ConvertTo-SecureString "Pa55w0rd!" -AsPlainText-推動)-AsPlainText -Force)
-DatabaseOnly-DatabaseOnly 備份不 CA 憑證資料庫- Backup the database without the CA certificate

Backup-CARoleService c:\adcsbackup6-DatabaseOnlyBackup-CARoleService c:\adcsbackup6 -DatabaseOnly
-推動-Force 1.可讓您在指定的位置 preexists 備份覆寫-Path 參數中1. Allows you to overwrite the backup that preexists in the location specified in the -Path parameter

Backup-CARoleService c:\adcsbackup1-推動Backup-CARoleService c:\adcsbackup1 -Force
-增量-Incremental 執行增量備份- Perform an incremental backup

Backup-CARoleService c:\adcsbackup7-增量Backup-CARoleService c:\adcsbackup7 -Incremental
-KeepLog-KeepLog 1.指示登入檔案,將指令。1. Instructs the command to keep log files. 如果未指定切換,登入的檔案會被截斷預設以外增量案例中If the switch is not specified, log files are truncated by default except in the Incremental scenario

Backup-CARoleService c:\adcsbackup7-KeepLogBackup-CARoleService c:\adcsbackup7 -KeepLog

密碼 -Password

如果-密碼參數,則所提供的密碼必須安全字串。If the -Password parameter is used, the supplied password must be a secure string. 使用朗讀主機cmdlet 上市互動式提示字元中的輸入安全密碼,或使用ConvertTo-SecureString cmdlet 指定密碼中列。Use the Read-Host cmdlet to launch an interactive prompt for secure password entry, or use the ConvertTo-SecureString cmdlet to specify the password in-line.

檢視的下列範例Review the following examples

指定安全密碼參數使用 Read-Host 字串Specifying a secure string for the Password parameter using Read-Host

Backup-CARoleService c:\adcsbackup4 -Password (Read-Host -prompt "Password:" -AsSecureString)  

指定安全密碼參數使用 ConvertTo-SecureString 字串Specifying a secure string for the Password parameter using ConvertTo-SecureString

Backup-CARoleService c:\adcsbackup5 -Password (ConvertTo-SecureString "Pa55w0rd!" -AsPlainText -Force)  

Restore-CARoleServiceRestore-CARoleService

ADCSAdministration Cmdlet: Restore-CARoleServiceADCSAdministration Cmdlet: Restore-CARoleService

引數-粗體所需的引數Arguments - Bold arguments are required 描述Description
路徑-Path -字串-位置從備份還原- String - location to restore backup from
-這是唯一參數的未命名- This is the only unnamed parameter
-位置參數- positional parameter

範例:Example:

Restore-CARoleService。-Path c:\adcsbackup1-推動Restore-CARoleService.-Path c:\adcsbackup1 -Force

Restore-CARoleService c:\adcsbackup2-推動Restore-CARoleService c:\adcsbackup2 -Force
-KeyOnly-KeyOnly -還原不資料庫 CA 憑證- Restore the CA certificate without the database
-如果備份-KeyOnly 選項必須指定- Must be specified if the backup was taken with the -KeyOnly option

範例:Example:

Restore-CARoleService c:\adcsbackup3-KeyOnly-推動Restore-CARoleService c:\adcsbackup3 -KeyOnly -Force
密碼-Password -指定 CA 憑證和私密金鑰的密碼- Specifies the password of the CA certificates and private keys
-必須安全字串- Must be a secure string

範例:Example:

Restore-CARoleService c:\adcsbackup4-密碼 (讀取主機-命令提示字元中」的密碼:「-AsSecureString)-推動Restore-CARoleService c:\adcsbackup4 -Password (read-host -prompt "Password:" -AsSecureString) -Force

Restore-CARoleService c:\adcsbackup5-密碼 (ConvertTo-SecureString」Pa55w0rd」!Restore-CARoleService c:\adcsbackup5 -Password (ConvertTo-SecureString "Pa55w0rd!" -AsPlainText-推動)-推動-AsPlainText -Force) -Force
-DatabaseOnly-DatabaseOnly -還原不 CA 憑證資料庫- Restore the database without the CA certificate

Restore-CARoleService c:\adcsbackup6-DatabaseOnlyRestore-CARoleService c:\adcsbackup6 -DatabaseOnly
-推動-Force -可讓您要覆寫現有的按鍵- Allows you to overwrite the preexisting keys
-是選擇性的參數,但還原就地、時,可能需要- Is an optional parameter but when restoring in-place, it is likely required

Restore-CARoleService c:\adcsbackup1-推動Restore-CARoleService c:\adcsbackup1 -Force

問題Issues

在非密碼保護備份如果 ConvertTo-SecureString 功能將會失敗時使用 Backup-CARoleService-密碼參數使用。A non-password protected backup is taken if the ConvertTo-SecureString function fails while using the Backup-CARoleService with the -Password parameter.

CA 備份與還原

表格 7 表格 \\ * 阿拉伯文 18:常見的錯誤Table SEQ Table \* ARABIC 18: Common Errors

控制項目Action 錯誤Error 意見Comment
Restore-CARoleServiceC:\ADCSBackupRestore-CARoleService C:\ADCSBackup Restore-CARoleService:程序無法存取檔案,因為它使用其他處理程序。Restore-CARoleService : The process cannot access the file because it is being used by another process. (從 HRESULT 例外:(Exception from HRESULT:

0x80070020)0x80070020)
停止之前執行 Restore-CARoleService cmdlet Active Directory 憑證服務服務Stop the Active Directory Certificate Services service prior to running the Restore-CARoleService cmdlet
Restore-CARoleServiceC:\ADCSBackupRestore-CARoleService C:\ADCSBackup Restore-CARoleService:不是空。Restore-CARoleService : The directory is not empty. (從 HRESULT 例外:0x80070091)(Exception from HRESULT: 0x80070091) 使用-推動參數覆寫現有的按鍵Use the -Force parameter to overwrite preexisting keys
Backup-CARoleServiceC:\ADCSBackup-密碼 (Read-Host-提示」的密碼:「-AsSecureString)-DatabaseOnlyBackup-CARoleService C:\ADCSBackup -Password (Read-Host -Prompt "Password:" -AsSecureString) -DatabaseOnly Backup-CARoleService:使用名參數指定無法解析參數設定。Backup-CARoleService : Parameter set cannot be resolved using the specified named parameters. 參數-密碼僅使用密碼保護私密金鑰,因此不正確時無法備份他們The -Password parameter is only used to password protect private keys and is therefore invalid when you are not backing them up
Restore-CARoleServiceC:\ADCSBack15-密碼 (Read-Host-提示」的密碼:「-AsSecureString)-DatabaseOnlyRestore-CARoleService C:\ADCSBack15 -Password (Read-Host -Prompt "Password:" -AsSecureString) -DatabaseOnly Restore-CARoleService:使用名參數指定無法解析參數設定。Restore-CARoleService : Parameter set cannot be resolved using the specified named parameters. 參數-密碼僅使用密碼保護私密金鑰,因此不正確當您無法還原The -Password parameter is only used to password protect private keys and is therefore invalid when you are not restoring them
Restore-CARoleServiceC:\ADCSBack14-密碼 (Read-Host-提示」的密碼:」為 AsSecureString)Restore-CARoleService C:\ADCSBack14 -Password (Read-Host -Prompt "Password:" -AsSecureString) Restore-CARoleService:系統找不到指定的檔案。Restore-CARoleService : The system cannot find the file specified. (從 HRESULT 例外:0x80070002)(Exception from HRESULT: 0x80070002) 指定的路徑不包含有效資料庫備份。The path specified does not contain a valid database backup. 可能是無效的路徑或備份-KeysOnly 選項嗎?Perhaps the path is invalid or the backup was taken with the -KeysOnly option?

其他資源Additional Resources

Active Directory 憑證服務移轉指南Active Directory Certificate Services Migration Guide

備份 CA 資料庫及私密金鑰Backing up a CA database and private key

還原 CA 資料庫和目的地伺服器上的設定Restoring the CA database and configuration on the destination server

試試看:備份 CA 中使用 Windows PowerShell 測試環境Try This: Backup the CA in your lab using Windows PowerShell

  1. 使用這個課程中的命令 CA 資料庫及使用密碼保護的私密金鑰備份。Use the commands in this lesson to backup the CA database and private key secured with a password.

  2. 在這次的 CA 還原暫停。Hold off on the restore of the CA at this time.