| Author |
Message |
Guest
|
 Posted:
Sat Jan 29, 2005 12:46 am Post subject:
Windows 2003 Certificate Server in Windows 2000 domain with |
|
|
Windows 2000 forest with 2 Windows 2000 domains. PKI Infrastructure is
built using Windows 2000 advanced servers.
I had added a Windows 2003 Enterprise server as a member server in the
domain and configured Certificate server service on it.
Windows 2003 certsrv was working fine. Issued machine certs and user
certs.
Now the change introduced:
In preparation to upgrade the Windows 2000 domain to Windows 2003, I
ran "ADPREP /FORESTPREP" on root domain and "ADPREP /DOMAINPREP" on
both root and child domain. Also, since I have Exchange 2000 in the
Windows 2000 forest, I followed KB314649 to avoid the mangled
attributes.
At this point schema is updated so that I can install the first Windows
2003 domain controller. However, we have not yet installed the Windows
2003 domain controller.
Problem:
My certificate issuing servers (Windows 2000) is still working fine.
However, Windows 2003 certificate issuing server is having a problem.
It return error indicating that revocation function failed and
revocation server is offline. However, the revocation server is
online.
Do I have to have a Windows 2003 domain controllers in both root and
child domain for this to work?
Thanks in advance.
Scott. |
|
| Back to top |
|
 |
Brian Komar
Guest
|
| Posted:
Sat Jan 29, 2005 1:40 am Post subject:
Re: Windows 2003 Certificate Server in Windows 2000 domain w |
|
|
In article <1106937997.481299.106410@z14g2000cwz.googlegroups.com>,
scottklee@msn.com says...
| Quote: |
Windows 2000 forest with 2 Windows 2000 domains. PKI Infrastructure is
built using Windows 2000 advanced servers.
I had added a Windows 2003 Enterprise server as a member server in the
domain and configured Certificate server service on it.
Windows 2003 certsrv was working fine. Issued machine certs and user
certs.
Now the change introduced:
In preparation to upgrade the Windows 2000 domain to Windows 2003, I
ran "ADPREP /FORESTPREP" on root domain and "ADPREP /DOMAINPREP" on
both root and child domain. Also, since I have Exchange 2000 in the
Windows 2000 forest, I followed KB314649 to avoid the mangled
attributes.
At this point schema is updated so that I can install the first Windows
2003 domain controller. However, we have not yet installed the Windows
2003 domain controller.
Problem:
My certificate issuing servers (Windows 2000) is still working fine.
However, Windows 2003 certificate issuing server is having a problem.
It return error indicating that revocation function failed and
revocation server is offline. However, the revocation server is
online.
Do I have to have a Windows 2003 domain controllers in both root and
child domain for this to work?
Thanks in advance.
Scott.
You need to run the PKI Health Tool (pkiview.msc) from the Windows |
Server 2003 reskit. It sounds like you have incorrect URLs in either
the CDP or AIA extensions of the CA certificates, preventing the
certificates or CRLs from being retrieved when required.
See the Best Practices WP at
http://www.microsoft.com/technet/treeview/default.asp?
url=/technet/prodtechnol/windowsserver2003/maintain/operate/ws3PKIBP.asp
Brian |
|
| Back to top |
|
|
Guest
|
| Posted:
Mon Jan 31, 2005 6:47 am Post subject:
Re: Windows 2003 Certificate Server in Windows 2000 domain w |
|
|
Thanks for your help.
Digging through the revocation list in my PKI hierachy, one of the
intermediate CA was out of date. It just happened to be on the exact
same date as the day that I upgraded my Schema. It had nothing to do
with the schema update.
Thanks.
Brian Komar wrote:
| Quote: | In article <1106937997.481299.106410@z14g2000cwz.googlegroups.com>,
scottklee@msn.com says...
Windows 2000 forest with 2 Windows 2000 domains. PKI
Infrastructure is
built using Windows 2000 advanced servers.
I had added a Windows 2003 Enterprise server as a member server in
the
domain and configured Certificate server service on it.
Windows 2003 certsrv was working fine. Issued machine certs and
user
certs.
Now the change introduced:
In preparation to upgrade the Windows 2000 domain to Windows 2003,
I
ran "ADPREP /FORESTPREP" on root domain and "ADPREP /DOMAINPREP" on
both root and child domain. Also, since I have Exchange 2000 in
the
Windows 2000 forest, I followed KB314649 to avoid the mangled
attributes.
At this point schema is updated so that I can install the first
Windows
2003 domain controller. However, we have not yet installed the
Windows
2003 domain controller.
Problem:
My certificate issuing servers (Windows 2000) is still working
fine.
However, Windows 2003 certificate issuing server is having a
problem.
It return error indicating that revocation function failed and
revocation server is offline. However, the revocation server is
online.
Do I have to have a Windows 2003 domain controllers in both root
and
child domain for this to work?
Thanks in advance.
Scott.
You need to run the PKI Health Tool (pkiview.msc) from the Windows
Server 2003 reskit. It sounds like you have incorrect URLs in either
the CDP or AIA extensions of the CA certificates, preventing the
certificates or CRLs from being retrieved when required.
See the Best Practices WP at
http://www.microsoft.com/technet/treeview/default.asp?
url=/technet/prodtechnol/windowsserver2003/maintain/operate/ws3PKIBP.asp
Brian |
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in