Re: Windows 2003 Certificate Server in Windows 2000 domain with Schema upgraded

From: Brian Komar (
Date: 01/28/05

Date: Fri, 28 Jan 2005 13:40:48 -0600

In article <>, says...
> Windows 2000 forest with 2 Windows 2000 domains. PKI Infrastructure is
> built using Windows 2000 advanced servers.
> I had added a Windows 2003 Enterprise server as a member server in the
> domain and configured Certificate server service on it.
> Windows 2003 certsrv was working fine. Issued machine certs and user
> certs.
> Now the change introduced:
> In preparation to upgrade the Windows 2000 domain to Windows 2003, I
> ran "ADPREP /FORESTPREP" on root domain and "ADPREP /DOMAINPREP" on
> both root and child domain. Also, since I have Exchange 2000 in the
> Windows 2000 forest, I followed KB314649 to avoid the mangled
> attributes.
> At this point schema is updated so that I can install the first Windows
> 2003 domain controller. However, we have not yet installed the Windows
> 2003 domain controller.
> Problem:
> My certificate issuing servers (Windows 2000) is still working fine.
> However, Windows 2003 certificate issuing server is having a problem.
> It return error indicating that revocation function failed and
> revocation server is offline. However, the revocation server is
> online.
> Do I have to have a Windows 2003 domain controllers in both root and
> child domain for this to work?
> Thanks in advance.
> Scott.
You need to run the PKI Health Tool (pkiview.msc) from the Windows
Server 2003 reskit. It sounds like you have incorrect URLs in either
the CDP or AIA extensions of the CA certificates, preventing the
certificates or CRLs from being retrieved when required.

See the Best Practices WP at


Relevant Pages

  • Site-tosite VPN Issue
    ... Windows Server 2003 domain controller ... Mixture of PCs running Windows 2000 Profressional with SP3 and Windows XP ... the VPN to the Windows Server 2003 domain controller. ... 12.7MB file from the server to the client PC. ...
  • Re: Need help configuring Wireless Connection profile
    ... and I can only use the intel OR windows utility, not both at the same time. ... Windows authentication for all users,4129,LRG\ryanv,4149,Wireless WPA2 ... SMALL BUSINESS SERVER: ... STEP #1 Install Certificate Services ...
  • Cannot sync Windows mobile with sbs2003 server
    ... Windows Mobile OS to the SBS2003 server at work so that he can read e-mails. ... What certificate do Microsoft recommend here, and where can this be bought? ...
  • RE: Internet Connection Wizard failing at Firewall Config and Secu
    ... You can use the Dcdiag.exe (Domain Controller Diagnostic Tool) included ... in Windows Support Tools to verify the AD status. ... Windows Server 2003 Active Directory Diagnostics, ...
  • RE: Provide feedback to DC promotion/replacement
    ... one of the is reffering to a Windows 2000 ... As i sad in the previous posts, to rename a domain controller ... controllers in the domain must be running Windows Server 2003. ... a global catalog. ...