Hi all, Ive stumbled into a little problem while setting up a Microsoft 2003 PKI. It is going to be a two level hierarchy with an offline root CA (only with http for AIA and CDP since it is going to be used as trust in two ADs) and an enterprise Issuing CA which is member of the domain. What I would like to archive is to add the Root CAs certificate to the Active Directories forest configuration container Certification Authorities so all clients trust it by default. For this I usually use that command certutil v dspublich, but this time I receive an error in the production environment: __ C:\>certutil -v -dsPublish -dc DomainController "c:\catransfer\cacert\ROOTCACer.crt" RootCA ldap:///CN= Root CA,CN=Certification Authorities,CN=Public Key S ervices,CN=Services,CN=Configuration,DC=domain,DC=local?cACertificate ldap: 0x20: 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of: 'CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Conf iguration,DC=domain,DC=local' CertUtil: -dsPublish command FAILED: 0x8007208d (WIN32: 8333) CertUtil: Directory object not found. C:\> __ As the output shows theres a ?cACertificate to much in the returned ldap, but the best match is correct. Ive searched the Internet since this is the first time Ive seen this error and only found hints that it has to do with the FSMO roles. And used Netdom query FSMO to ensure that all roles are running on active servers. Ive also run dcdiag on the five domains controllers which did not show any errors. To ensure that there is nothing wrong with the RootCa certificate I have imported it without errors into another environment. My questions is if any has seen this error before or if there is another method to import the RootCA certificate than using the dsPublish command? (I might mention that when I started to look at the AD I noticed that they were using a Bind DNS and not the AD DNS, but it seemed to be setup correctly and to the right service records)Thanks in advance for any help./Bendji

Hi, Since youre using a standalone CA which is not a member of AD, there is no information about it, that why "problem 2001 (NO_OBJECT)" occurs. Lets try to use SubCA instead. certutil -v -dsPublish -dc DomainController "c:\catransfer\cacert\ROOTCACer.crt" SubCA Or certutil -f -dsPublish -dc DomainController "c:\catransfer\cacert\ROOTCACer.crt" SubCA If we still cannot get it work, please help to collect the following information for research. ldifde f ca.txt d "CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=local" p subtree Please use Windows Live SkyDrive (http://www.skydrive.live.com/) to upload the file and then give me the download address. Thanks. This posting is provided "AS IS" with no warranties, and confers no rights.

Hi Marvyn,Thanks for the reply. Tried with the SubCA also, this gave the same error. But since its a RootCa certificate I would like it to be placed both "Certificate authorities" container and in the "AIA" container. Thats why I used the "RootCA" command and not the "SubCa" command. I've done some testing and if I use the "-f" it works and as certutil states the"-f" attributeis used to "create the DS object" so this makes sense.I'm just sure that I read somewhere that this attribute was not necessary and could actually result in the creation of a new store if something was misspelled (Since -f also meens "force"), but that might have been in some other scenario. In this case I will just used the "-f" and continue./Benjamin