Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

certutil -backupdb ... incremental like in the Managing doc - FAILED directory not empty

289 views
Skip to first unread message

George Ellis

unread,
Oct 3, 2007, 3:50:21 PM10/3/07
to
I am trying to figure out what is the issue here. Apparently "Incremental"
is tempramental. In the MS "Managing a Windows Server 2003 Public Key
Infrastructure" doc (web, page 30 if you take the time to convert it to a
doc), there is a section "To configure an hourly differential backup of the
CA Database"(sic). In the list, it gives how to setup incremental backups
hourly.

SCHTASKS /Create /RU system /SC daily /ST 01:00 /TN "CA Differential Backup"
/TR "certutil -backupdb c:\CABackup incremental keeplog"
SCHTASKS /Create /RU system /SC daily /ST 02:00 /TN "CA Differential Backup"
/TR "certutil -backupdb c:\CABackup incremental keeplog"
SCHTASKS /Create /RU system /SC daily /ST 03:00 /TN "CA Differential Backup"
/TR "certutil -backupdb c:\CABackup incremental keeplog"
SCHTASKS /Create /RU system /SC daily /ST 04:00 /TN "CA Differential Backup"
/TR "certutil -backupdb c:\CABackup incremental keeplog"

I wanted to experiment and see what the results are. I found the following.
You have to do a full first.

"certutil -backupdb c:\CABackup"

But from that point on, you get the following if you do:

"certutil -backupdb c:\CABackup incremental keeplog"

response:

"Incremental database backup target directory: c:\cabackup.
CertUtil: -backupDB command FAILED: 0x80070091 (WIN32/HTTP: 145)
CertUtil: The directory is not empty"

HMMMMMM.....
That implies that if you scheduled this task as described, it will work
exactly once. (yep did the cacls - using the CA Backup Operator or CA PKI
Administrator (described in the rest of the doc)).

-f forces the files to be replaced, but that does not appear to be
incremental.

I don't need this on our first ECA, but it could happen on the next one.
What is the issue here?


Brian Komar

unread,
Oct 3, 2007, 7:59:01 PM10/3/07
to
The issue is that you need to do some sort of rotation for target
directories. Certutil will not perform to a directory containing an existing
backup
What you could do is create additional subdirectories below c:\CABackup so
that the backups are writing to empty folders.

Brian

"George Ellis" <george...@9delta9.com> wrote in message
news:uvl9iafB...@TK2MSFTNGP02.phx.gbl...

George Ellis

unread,
Oct 4, 2007, 9:59:16 AM10/4/07
to
I figured that if it was working 'as designed' instead of 'as documented',
it would be like that. Looks like hourly, daily directories are in order
with -f.

Thanks Brian.

BTW, another book tip for the revision under Manual backup discussion (where
failover might be to a different server). We are going to use Netbackup
with encryption, so jobing the backups through certutil and then creating
the backup on the backup store.

Add this code sample to backup the registry.

ECHO Y | %windir%\system32\reg.exe EXPORT
"HKLM\SYSTEM\CurrentControlSet\Services\CertSVc\Configuration\CA"
F:\CABackup\CARegBackup.REG


"Brian Komar" <brian...@nospam.identit.ca> wrote in message
news:OSnkQnhB...@TK2MSFTNGP06.phx.gbl...

0 new messages