Re: Windows 2003 Certificate Server in Windows 2000 domain with Schema upgraded

From: Brian Komar (
Date: 01/28/05

Date: Fri, 28 Jan 2005 13:40:48 -0600

In article <>, says...
> Windows 2000 forest with 2 Windows 2000 domains. PKI Infrastructure is
> built using Windows 2000 advanced servers.
> I had added a Windows 2003 Enterprise server as a member server in the
> domain and configured Certificate server service on it.
> Windows 2003 certsrv was working fine. Issued machine certs and user
> certs.
> Now the change introduced:
> In preparation to upgrade the Windows 2000 domain to Windows 2003, I
> ran "ADPREP /FORESTPREP" on root domain and "ADPREP /DOMAINPREP" on
> both root and child domain. Also, since I have Exchange 2000 in the
> Windows 2000 forest, I followed KB314649 to avoid the mangled
> attributes.
> At this point schema is updated so that I can install the first Windows
> 2003 domain controller. However, we have not yet installed the Windows
> 2003 domain controller.
> Problem:
> My certificate issuing servers (Windows 2000) is still working fine.
> However, Windows 2003 certificate issuing server is having a problem.
> It return error indicating that revocation function failed and
> revocation server is offline. However, the revocation server is
> online.
> Do I have to have a Windows 2003 domain controllers in both root and
> child domain for this to work?
> Thanks in advance.
> Scott.
You need to run the PKI Health Tool (pkiview.msc) from the Windows
Server 2003 reskit. It sounds like you have incorrect URLs in either
the CDP or AIA extensions of the CA certificates, preventing the
certificates or CRLs from being retrieved when required.

See the Best Practices WP at