Hi, i followed the detailshere to decomission my old PKI Root and Issuing CAs http://support.microsoft.com/kb/889250as i had made the wrong choice of crypto provider. This seemed to go without issue and all DCs were cleaned up as per the instructions.I then remade a single Online Enterprise Root CA on a brand new machine after reading Windows Server 2008 PKI and Certificate Security, usingthe following CAPolicy.inf:[Version]Signature = $Windows NT$ [Certsrv_Server]RenewalKeyLength = 2048RenewalValidityPeriodUnits = 10RenewalValidityPeriod = years CRLPeriod = daysCRLPeriodUnits = 2CRLDeltaPeriodUnits = 12CRLDeltaUnits = hours And as post install tasks i ran the following: ::Declare Configuration NCcertutil -setreg CA\DSConfigDN CN=Configuration,DC=rotarymep,DC=com ::Define CRL Publication Intervalscertutil -setreg CA\CRLPeriodUnits 2certutil -setreg CA\CRLPeriod "Days"certutil -setreg CA\CRLDeltaPeriodUnits 12certutil -setreg CA\CRLDeltaPeriod "Hours" ::Apply the required CDP Extension URLscertutil -setreg CA\CRLPublicationURLs "65:%windir%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n79:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10\n6:http://www.rotarymep.com/certdata/%%3%%8%%9.crl" ::Apply the required AIA Extension URLscertutil -setreg CA\CACertPublicationURLs "1:%windir%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n3:ldap:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11\n2:http://www.rotarymep.com/certdata/%%1_%%3%%4.crt" ::Enable all auditing events for the Fabrikam Corporate Root CAcertutil -setreg CA\AuditFilter 127 ::Set Validity Period for Issued Certificatescertutil -setreg CA\ValidityPeriodUnits 2certutil -setreg CA\ValidityPeriod "Years" ::Restart Certificate Servicesnet stop certsvc & net start certsvcsleep 5certutil crl However, running "certutil -crl" gives me the following error:C:\Users\administrator.ROTARYMEP>certutil -crlCertUtil: -CRL command FAILED: 0x8007208f (WIN32: 8335)CertUtil: The object name has bad syntax.On checking the event log isee the following errors:Log Name: ApplicationSource: Microsoft-Windows-CertificationAuthorityDate: 23/09/2008 16:04:05Event ID: 74Task Category: NoneLevel: ErrorKeywords: ClassicUser: SYSTEMComputer: RMEP-ENTROOTCA.rotarymep.comDescription:Active Directory Certificate Services could not publish a Base CRL for key 0 to the following location on server RMEP-HQ-SVR001.rotarymep.com: ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10. The object name has bad syntax. 0x8007208f (WIN32: 8335).ldap: 0x22: 0000208F: NameErr: DSID-031001D1, problem 2006 (BAD_NAME), data 8350, best match of:'CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10']Log Name: ApplicationSource: Microsoft-Windows-CertificationAuthorityDate: 23/09/2008 16:04:05Event ID: 66Task Category: NoneLevel: ErrorKeywords: ClassicUser: SYSTEMComputer: RMEP-ENTROOTCA.rotarymep.comDescription:Active Directory Certificate Services could not publish a Delta CRL for key 0 to the following location: ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10. Operation aborted 0x80004004 (-2147467260).On checking pkiview.msc there are big red crosses for the CRL locations (website expected as not published there yet) but for LDAP it says "Unable to download".Locations for AIA #1 are:ldap:///CN=%7,CN=AIA,CN=Public%20Key%20Services,CN=Services,%6%11And for CDP #1 are:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public%20Key%20Services,CN=Services,%6%10On checking the filesystem i can see the following files: C:\Users\administrator.ROTARYMEP>dir C:\Windows\System32\certsrv\CertEnrollVolume in drive C has no label.Volume Serial Number is D046-E2F6 Directory of C:\Windows\System32\certsrv\CertEnroll 23/09/2008 16:18 <DIR> .23/09/2008 16:18 <DIR> ..23/09/2008 16:18 644 %3%8%9.crl23/09/2008 15:35 360 nsrev_Rotary International Enterprise Root CA.asp23/09/2008 15:35 931 RMEP-ENTROOTCA.rotarymep.com_Rotary International Enterprise Root CA.crt23/09/2008 15:35 797 Rotary International Enterprise Root CA+.crl23/09/2008 15:35 1,138 Rotary International Enterprise Root CA.crl 5 File(s) 3,870 bytes 2 Dir(s) 20,894,150,656 bytes freeThe file above named %3%8%9.crl doesnt look right to me, but I'm really stumped. The CA can ping both DCs without any problem. Any ideas as to what I have done wrong?Many thanks in advance,Chris

Hi Chris,maybe not a full explanation yet... but all the variables do not get replaced by the corresponding values.Therefore the crl file has such a weird name and the LDAP location is not found - the CA is searching for an LDAPcontainer litteraly named %2 for example. As a consequence you see an error in pkiview, because you try to access an object / attrbute that has not been created / populated with the CRL yet. The dir view shows that with the previous version of theCDP pathsthe replacement didwork(files dated 15:35).I assume that in the Published CRL Location extensionof the CRL you will also see the %... variables instead the real names of objects? If you run certutil -crl the LDAP URL is read from the CRL.I am still trying to figure out why the variables would not get replaced - in theorythe scriptsshould work if you mask all these variables them with a % sign in a batch file. If executed directly on the command line the masking % needs to be removed. Wild guess: Some specific setting for command shell?Do you have a dump of the output of your script?Does it change anything if you execute thecommand for the CDPs on the command line? I would create the text in notepad by copying it from the script and removing on % for each variable, then pasting in a cmd window.Thus finally you should run the following from the command line:certutil -setreg CA\CRLPublicationURLs "65:%windir%\system32\CertSrv\CertEnroll\%3%8%9.crl\n79:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10\n6:http://www.rotarymep.com/certdata/%3%8%9.crl"Other explanation: Did you copy the script directly from an HTML page? I once had issues with copying these scripts between DOC and TXT, because the dash seemed to have been formatted in a different way (though invisible). Retying the dash solved the issue. I am not sure, if the same thing might happen to % signs....BR,Elke

Hi Elke, this was inded a copy and paste error - i had copied the lines from the script with the %% elements in and pasted into a command window directly, this indeed caused the error! Silly mistake. Thanks for solving this.RegardsChris

that's right.some people just like me did that,when i copy the script from book,was not even looked the description,so i did the same thing-------add a extra % on to cmd prompt(but if you using batch file,that case you need to add extra % before %elements)