Most Windows Server services that contain a database
or local files are backed up with the System State but also provide
alternate backup and restore options. Because the System State restore
is usually an all-or-nothing proposition, except when it comes to
cluster nodes and domain controllers, restoring an entire System State
might deliver undesired results if only a specific service database
restore is required. This section outlines services that either have
separate backup/restore utilities or require special attention to ensure
a successful backup.
Disk Configuration (Software RAID Sets)
Disk is not a service
but should be backed up to ensure that proper partition assignments can
be restored. When Dynamic disks are used to create complex volumes—such
as mirrored, striped, spanned, or RAID-5 volumes—the disk configuration
should be saved. This way, if the operating system is corrupt and needs
to be rebuilt from scratch, the complex volumes need to have only their
configuration restored, which could greatly reduce the recovery time.
Only an ASR backup can back up disk and volume configuration.
Certificate Services
Installing Certificate
Services creates a certificate authority (CA) on the Windows Server 2003
system. The CA is used to manage and allocate certificates to users,
servers, and workstations when files, folders, email, or network
communication needs to be secured and encrypted. In many cases, the CA
is a completely separate secured CA server; however, many organizations
use their Exchange server as a CA server. This might be because of a
limited number of servers with several different roles and services
installed on a single server, or because the organization wants to use
Secure Sockets Layer (SSL) and forms-based authentication (FBA) for
secured Outlook Web Access, so they install Certificate Services on an
Exchange server. Whatever the case, the CA needs to be backed up whether
on the Exchange server or on any other server; if the CA server crashes
and needs to be restored, it can be restored so users can continue to
access the system after recovery.
Caution
For security
purposes, it is highly recommended that Certificate Services be enabled
on a server other than the Exchange server. Definitely do not have the
CA services on an Outlook Web Access server that is exposed to the
Internet. The integrity of certificate-authenticated access depends on
ensuring that certificates are issued only by a trusted authority. Any
compromise to the CA server invalidates an organization’s ability to
secure its communications.
When the CA
allocates a certificate to a machine or user, that information is
recorded in the certificate database on the local drive of the CA. If
this database is corrupted or deleted, all certificates allocated from
this server become invalid or unusable. To avoid this problem, the
certificates and Certificate Services database should be backed up
frequently. Even if certificates are rarely allocated to new users or
machines, backups should still be performed regularly.
Certificate Services
can be backed up in three ways: backing up the CA server’s System State,
using the CA Microsoft Management Console (MMC) snap-in, or using the
command-line utility Certutil.exe. Backing
up Certificate Services by backing up the System State is the preferred
method because it can be easily automated and scheduled. But using the
graphic console or command-line utility adds the benefit of being able
to restore Certificate Services to a previous state without restoring
the entire server System State or taking down the entire server for the
restore.
To create a backup of the CA using the graphic console, follow these steps:
1. | Log on to the CA server using an account with local Administrator rights.
|
2. | Open Windows Explorer and create a folder named CaBackup on the C: drive.
|
3. | Select Administrative Tools, Certificate Authority.
|
4. | Expand the Certificate Authority server, and select the correct CA.
|
5. | Select Actions, All Tasks, Back Up CA.
|
6. | Click Next on the Certification Authority Backup Wizard welcome screen.
|
7. | On
the Items to Back Up page, check the Private Key and CA Certificate
check box and the Certificate Database and Certificate Database Log
check box, as shown in Figure 1.
|
8. | Specify
the location to store the CA backup files. Use the folder created in
the beginning of this process. Click Next to continue.
|
9. | When
the CA certificate and private key are backed up, this data file must
be protected with a password. Enter a password for this file, confirm
it, and click Next to continue.
Note
To
restore the CA private key and CA certificate, you must use the
password entered in step 9. Store this password in a safe place,
possibly with the master account list.
|
10. | Click Finish to create the CA backup.
|
Internet Information Services (IIS)
Internet
Information Services (IIS) is the Windows Server 2003 web and FTP
services that support websites like OWA. It is included on every version
of the Windows Server 2003 platform. IIS storesconfiguration
information for web and FTP site configurations and security, placing
the information into the IIS metabase. The IIS metabase can be backed up
by performing a System State backup of the server running IIS, but it
can also be backed up using the IIS console. Best practices say that the
IIS metabase should be backed up separately before and after any IIS
configuration change is made. This is to ensure a successful rollback is
available should issues occur and also to have the latest IIS
configuration data backed up after the change.
To back up the IIS metabase using the IIS console, use the following steps:
1. | Log on to the IIS server using an account with local Administrator access.
|
2. | Click Start, All Programs, Administrative Tools, Internet Information Services (IIS).
|
3. | If
the local IIS server does not appear in the window, right-click
Internet Information Services in the left pane, and select Connect.
|
4. | Type in the fully qualified domain name for the IIS server, and click OK.
|
5. | Right-click the IIS server in the left pane, and select All Tasks, Backup/Restore Configuration.
|
6. | The
Configuration Backup/Restore window lists all the automatic IIS backups
that have been created. Click the Create Backup button.
|
7. | Enter
the backup name and, if necessary, check the Encrypt Backup Using
Password check box, enter and confirm the password, and click OK when
you’re finished, as shown in Figure 2.
|
8. | When the backup is complete, it is listed in the Configuration Backup/Restore window. Click Close to return to the IIS console.
|
Before a change is made to
the IIS configuration, a backup should be manually created. When the
change is completed, the administrator should either perform another
backup or choose the option to save the configuration to disk. The
administrator can save new IIS configuration changes to disk by
right-clicking the IIS server, selecting All Tasks, and then choosing
Save Configuration to Disk. This option works correctly only after a
change has been made that has not yet been recorded in the IIS metabase.
