Hi all, By following http://smtpport25.wordpress.com/2010/01/16/migrating-windows-certificate-authority-server-from-windows-2003-standard-to-windows-2008-enterprise-server/, I was able to migrate Windows 2003 CA to Windows 2008 R2 CA. But, on the Windows 2008 CA server, I get error ID 66, 74 and 75 daily. The Windows 2003 CA server is Win2K3Old and Windows 2008 CA server is Win2K8New. Out root domain is dc=mycompany, dc=local. Here are errors: Event ID: 66 Active Directory Certificate Services could not publish a Delta CRL for key 0 to the following location: ldap:///CN=Win2K3Old,CN=Win2K8New,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=mycompany,DC=local. Operation aborted 0x80004004 (-2147467260). Event ID: 66 Active Directory Certificate Services could not publish a Delta CRL for key 0 to the following location: ldap:///CN=Win2K3Old,CN=Win2K3Old,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=mycompany,DC=localWin2K3Old. Operation aborted 0x80004004 (- 2147467260). Event ID: 74 Active Directory Certificate Services could not publish a Base CRL for key 1 to the following location on server Win2K8New.us.mycompany.local: ldap:///CN=Win2K3Old(1),CN=Win2K3Old,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=mycompany,DC=localWin2K3Old. A referral was returned from the server. 0x8007202b (WIN32: 8235). ldap: 0xa: 0000202B: RefErr: DSID-031007EF, data 0, 1 access points ref 1: 'mycompany.localWin2K3Old' Event ID: 75 Active Directory Certificate Services could not publish a Delta CRL for key 1 to the following location on server Win2K8New.us.mycompany.local: ldap:///CN=Win2K3Old(1),CN=Win2K3Old,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=mycompany,DC=localWin2K3Old. A referral was returned from the server. 0x8007202b (WIN32: 8235). ldap: 0xa: 0000202B: RefErr: DSID-031007EF, data 0, 1 access points ref 1: 'mycompany.localWin2K3Old' ----------------------- Is there a way to get rid of these errors? Thank you for your help.

I'm sorry, but you used wrong guide. The correct guide is here: http://technet.microsoft.com/en-us/library/ee126170(WS.10).aspxMy weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Hi Vadims, Sorry by mistake. actually i used http://technet.microsoft.com/en-us/library/ee126140(v=ws.10) See my previous post and I do not have answers and can you help? http://social.technet.microsoft.com/Forums/en/winserversecurity/thread/9b66014d-c780-4336-86ae-1b850d8ffe40 I can not manually publish a CRL just wonder the ldap path still points to old windows 2003 CA server and do not know whether this could be the reason? Thank you.

> Sorry by mistake. actually i used http://technet.microsoft.com/en-us/library/ee126140(v=ws.10) why you mentioned a different link (with similar subject)? It is less likely to get this error when using correct guide. > just wonder the ldap path still points to old windows 2003 CA server and do not know whether this could be the reason? can you show the output of the following command: certutil -getreg ca\crlpublicationurls My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

ok, just publish them manually: certutil -dspublish -f crlfilename.crl Win2k3Old certutil -dspublish -f crlfilename(1).crl Win2k3Old note that you must use this command for each CA key (which is identified by a number in parentheses).My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Hi Vadims, With the above, these can be pulished without error. If I shutdown Win2k3old server, will these still work? Also, 3. Will the key CAname under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration] be updated to new win08 CA server manually? See the key marked as 'old' under configuration and the old is windows 2003 CA server name. Should I change it to windows 2008 CA server name? Thank you for your great help.

Thank you for clarifying everything. I made a mistake on this "verifying certificate extensions" from MS document: Verify extensions If the destination server name is different from the source server name, add an LDAP URL specifying a location that references the destination server's NetBIOS name with the substitution variable <ServerShortName>; for example ldap:///CN=<CATruncatedName><CRLNameSuffix>,CN=<ServerShortName>,CN=CDP,CN=Public Key Services,CN=Services,<ConfigurationContainer><CDPObjectClass> I changed to the old source name in <ServerShortName>, errors are gone. You are the true MVP. Thank you for taking time to help.