Posted by: Roger Crawford
Enterprise CA, Windows Server 2003
Well as stated in the previous post we had a 2003 DC that was the FSMO Master and also the Enterprise CA for the domain die on us. When we had the Virtual DC running I did a back of the CA to another folder on another server. You also need to backup the registry key but more on that later. We got the bad DC demoted and once I had the DC’s back to talking we brought the Physical Server that had the FSMO Roles on it that we had demoted down to a member server back up and rejoined the domain with the server and once we was back to the desktop we installed the Enterprise CA and then restored the server using the CA backup I had run earlier.
When we tried starting the CA it had the error “Certificate Services did not start: Could not load or verify the current CA Certificate. MyDomain Root CA Bad Key” error. Ok now what well I dug some more and found we should have also exported the “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\”mydomain Root CA” registry key. We went back to the Virtual DC and made sure it was not connected to the domain and exported this key and then got it moved over to the server we had this on. Did a import of the reg key and the service then started and away we went life was good and happy dance time.
Til later just Roger