You have an offline root certification authority (CA) named CA1. CA1 is hosted on a virtual machine.
You only turn on CA1 when the CA must be patched or you must generate a key for subordinate CAs.
You start CA1, and you discover that the filesystem is corrupted.
You resolve the filesystem corruption and discover that you must reload the CA root from a backup.
When you attempt to run the Restore-CARoleService cmdlet, you receive the following error message: “The process cannot access the file because it is being used by another process.” You need to ensure that you can restore the CA.
What should you do first?
A. Stop the Active Directory Certificate Services (AD CS) service.
B. Run the Restore-CARoleService cmdlet and specify the -Force parameter.
C. Stop the Active Directory Domain Services (AD DS) service.
D. Run the Restore-CARoleService cmdlet and specify the path to a valid CA key.
67given answer A is correct.
67given answer A is correct.
https://technet.microsoft.com/en-us/library/ee126140.aspx
If AD CS is not stopped, it locks the CA database and prevent overwriting and you cannot run “Restore-CARoleService” and replace the corrupted CA database
with a backup media with this cmdlet: Restore-CARoleService -Path “C:\CABackup” -DatabaseOnly
Using GUI – Certification Authority console:-
https://blogs.technet.microsoft.com/pki/2010/04/20/disaster-recovery-procedures-for-active-directory-certificate-services-adcs/
Restore the Certification Authority Configuration:
1- Stop the Certificate Services service.
2- Locate the registry file that you restored, and then double-click it to import the registry settings. If the path that is shown in the registry export from the old CA
differs from the new path, you must adjust your registry export accordingly. By default, the new path is C:\Windows in Windows Server.
Restore the Database and Templates to the Certification Authority:
Use the Certification Authority snap-in to restore the CA database. To do this, follow these steps:
1- In the Certification Authority snap-in, right-click the CA name, click All Tasks, and then click Restore CA. The Certification Authority Restore Wizard starts.
2- Click Next
3- Click Certificate database and certificate database log.
4- Type the backup folder location, and then click Next.
5- Verify the backup settings. The Issued Log and Pending Requests settings should be displayed.
6- Click Finish, and then click Yes to restart Certificate Services when the CA database is restored.
7- In the Certification Authority snap-in, manually add or remove certificate templates based on the templates published at the CA using the CAtemplates.txt file
“Stop the Active Directory Certificate Services service prior to running the Restore-CARoleService cmdlet”
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/ca-backup-and-restore-windows-powershell-cmdlets#restore-caroleservice