Migrating Windows 2003 CA to Windows 2008 R2 Error Help
Hi all,
By following
http://smtpport25.wordpress.com/2010/01/16/migrating-windows-certificate-authority-server-from-windows-2003-standard-to-windows-2008-enterprise-server/, I was able to migrate Windows 2003 CA to Windows 2008 R2 CA.
But, on the Windows 2008 CA server, I get error ID 66, 74 and 75 daily. The Windows 2003 CA server is Win2K3Old and Windows 2008 CA server is Win2K8New. Out root domain is dc=mycompany, dc=local.
Here are errors:
Event ID: 66
Active Directory Certificate Services could not publish a Delta CRL for key 0 to the following location:
ldap:///CN=Win2K3Old,CN=Win2K8New,CN=CDP,CN=Public Key
Services,CN=Services,CN=Configuration,DC=mycompany,DC=local. Operation aborted 0x80004004 (-2147467260).
Event ID: 66
Active Directory Certificate Services could not publish a Delta CRL for key 0 to the following location:
ldap:///CN=Win2K3Old,CN=Win2K3Old,CN=CDP,CN=Public Key
Services,CN=Services,CN=Configuration,DC=mycompany,DC=localWin2K3Old. Operation aborted 0x80004004 (-
2147467260).
Event ID: 74
Active Directory Certificate Services could not publish a Base CRL for key 1 to the following location on
server Win2K8New.us.mycompany.local: ldap:///CN=Win2K3Old(1),CN=Win2K3Old,CN=CDP,CN=Public Key
Services,CN=Services,CN=Configuration,DC=mycompany,DC=localWin2K3Old. A referral was returned from the server.
0x8007202b (WIN32: 8235).
ldap: 0xa: 0000202B: RefErr: DSID-031007EF, data 0, 1 access points
ref 1: 'mycompany.localWin2K3Old'
Event ID: 75
Active Directory Certificate Services could not publish a Delta CRL for key 1 to the following location on
server Win2K8New.us.mycompany.local: ldap:///CN=Win2K3Old(1),CN=Win2K3Old,CN=CDP,CN=Public Key
Services,CN=Services,CN=Configuration,DC=mycompany,DC=localWin2K3Old. A referral was returned from the server.
0x8007202b (WIN32: 8235).
ldap: 0xa: 0000202B: RefErr: DSID-031007EF, data 0, 1 access points
ref 1: 'mycompany.localWin2K3Old'
-----------------------
Is there a way to get rid of these errors?
Thank you for your help.
July 24th, 2012 2:42pm
I'm sorry, but you used wrong guide. The correct guide is here:
http://technet.microsoft.com/en-us/library/ee126170(WS.10).aspxMy weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
Free Windows Admin Tool Kit Click here and download it now
July 24th, 2012 3:52pm
Hi Vadims,
Sorry by mistake. actually i used
http://technet.microsoft.com/en-us/library/ee126140(v=ws.10)
See my previous post and I do not have answers and can you help?
http://social.technet.microsoft.com/Forums/en/winserversecurity/thread/9b66014d-c780-4336-86ae-1b850d8ffe40
I can not manually publish a CRL
just wonder the ldap path still points to old windows 2003 CA server and do not know whether this could be the reason?
Thank you.
July 24th, 2012 4:34pm
> Sorry by mistake. actually i used http://technet.microsoft.com/en-us/library/ee126140(v=ws.10)
why you mentioned a different link (with similar subject)? It is less likely to get this error when using correct guide.
> just wonder the ldap path still points to old windows 2003 CA server and do not know whether this could be the reason?
can you show the output of the following command:
certutil -getreg ca\crlpublicationurls
My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
Free Windows Admin Tool Kit Click here and download it now
July 24th, 2012 4:42pm
ok, just publish them manually:
certutil -dspublish -f crlfilename.crl Win2k3Old
certutil -dspublish -f crlfilename(1).crl Win2k3Old
note that you must use this command for each CA key (which is identified by a number in parentheses).My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
July 24th, 2012 5:05pm
Hi Vadims,
With the above, these can be pulished without error.
If I shutdown Win2k3old server, will these still work?
Also,
3. Will the key CAname under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration] be updated to new win08 CA server manually?
See the key marked as 'old' under configuration and the old is windows 2003 CA server name. Should I change it to windows 2008 CA server name?
Thank you for your great help.
Free Windows Admin Tool Kit Click here and download it now
July 24th, 2012 5:14pm
Thank you for clarifying everything.
I made a mistake on this "verifying certificate extensions" from MS document:
Verify extensions
If the destination server name is different from the source server name, add an LDAP URL specifying a location that references the destination server's NetBIOS name with the substitution variable
<ServerShortName>; for example ldap:///CN=<CATruncatedName><CRLNameSuffix>,CN=<ServerShortName>,CN=CDP,CN=Public Key Services,CN=Services,<ConfigurationContainer><CDPObjectClass>
I changed to the old source name in <ServerShortName>, errors are gone.
You are the true MVP.
Thank you for taking time to help.
July 26th, 2012 11:02am