Backup and Restore
Last updated
Last updated
All the data for your AMS instance is stored in the AMS database. It is important that you regularly back up this database, and ensure that the backups are stored safely.
If you chose to install AMS using the pre-configuration SQL express instance, then you can configure backups through the App configuration/Database
screen.
If you are using Azure SQL, Amazon RDS, or an external SQL server instance, you must configure the backups manually on those host platforms.
The AMS master key protects all sensitive information inside the database. It is uniquely protected so that the AMS service account can decrypt it automatically. If that process fails, you will need a master key recovery password to restore access to the service.
From the App config/Security
page, ensure that you have created a recovery password, and store this password in an offline, secure location.
In the event that the service cannot decrypt its own master key, you'll be prompted for a recovery password when you launch the configuration tool.
If you have deployed the Access Manager Agent, you'll need to ensure you have a backup of your password encryption certificates, and their private key.
From the Access Manager Agent/Password settings
page, export the certificates that appear here. Choose a very strong password, and store the resulting PFX somewhere very safe. Preferably in offline storage. Remember that access to this key will allow someone to decrypt all the local admin passwords in your environment.
If you have have legacy (v2) agents in your environment, you'll also need to backup the certificates used to encrypt passwords stored in Active Directory. The v3 agent does not store passwords in AD, so you can skip this step if you only have v3 agents deployed.
From the Directory configuration/Active Directory/Lithnet LAPS (deprecated)
page, select the forest that contains the certificate you want to back up, and click View Certificate
. From the Details
tab, click Copy to file
, making sure to select the option to export the private key when prompted.
Stop the Lithnet Access Manager service using the Windows services console.
Download and install SQL Server Management Studio (SSMS)
Once installed, connect to the SQL express instance using the server and instance of .\AMS
in the Server
field
Follow the steps located in this guide for performing the actual restore.
Once the database has been restored, restart the Lithnet Access Manager Service from the services console
Open the configuration tool and confirm the new settings
Stop the Lithnet Access Manager service using the Windows services console.
Refer to the Azure or Amazon RDS documentation for restoring the database in their respective environments.
Once the database has been restored, restart the Lithnet Access Manager Service from the services console
Open the configuration tool and confirm the new settings
If you have an encryption key backup you want to restore, then use the AMS configuration tool to import the PFX file into the database.
This can be performing using the import
button on either the Access Manager Agent/Password settings
or Directory configuration/Active Directory/Lithnet LAPS (deprecated)
, depending on which type of encryption certificate it is.
If you lose access to the encryption certificate's private key, any current and historical passwords encrypted with that key are not recoverable. This is why backups are so important.
However, you can publish a new key, and force the agents to generate a new password and encrypt it with that key. See the guide on Recovering from a lost encryption certificate for more details.