Active Directory Certificate Services cannot publish revocation list after renewal with new private Key

In summary:

• I had a working offline root CA and an AD integrated CA working fine
• I renewed the certificate with the same private key and all was good
• I then renewed the certificate with a new private key and and I can no longer publish the revocation list. HTTP was published, but LDAP was not. The AIA both LDAP and http were ok
• I then rebuilt the subordinate and renewed with a new private key and it failed both the AIA and CRL
• I then rebuilt the subordinate and renewed again with the same private public key, and both the AIA and CRL can be published to HTTP and LDAP. The HTTP does create a second certificate file with a "(1)" index - but the CRL and the LDAP for the AIA do not have the (1) index

So whilst I do that, I am posting this to see if there is something I have missed.

I have a Windows Server 2008 R2 subordinate CA integrated with AD and I have an offline root CA which signs the subordinate's certificate. The CRL for the offline root CA is stored in an accessible http location. That is I have two CAs - they work and the PKIView.MSC (used to) listed everything with a status of OK.

The subordinate had LDAP and HTPP AIA and CRL locations, and also used DeltaCRLs The root has a HTTP CRL location and no DeltaCRLs.

I have just renewed the key on my subordinate, approved the request, and reinstalled the certificate on my subordinate CA. When I attempt to publish the CRL I get the following error Error ID 66

Active Directory Certificate Services could not publish a Delta CRL for key 1 to the following location: ldap:///CN=xxxxxxxxxxx(1),CN=xxxxx,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,xxxxxxx,Operation aborted 0x80004004 (-2147467260).

and the following error ErrorID 74

Active Directory Certificate Services could not publish a Base CRL for key 1 to the following location on server Servername:ldap:///CN=CAName(1),CN=ServernameName,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DCLIST.  Directory object not found. 0x8007208d (WIN32: 8333).
ldap: 0x20: 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
    'CN=ServerName,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=DCLIST'

I've followed the article MS Event ID 66

This is a test system which when I first tried this only Event ID 66 happened so I rebuilt the uninstalled and reinstalled the sub-ordinate CA once this happened with now event ID 66 and 74. The offline root was not rebuilt; I did however update the CRL from the offline root to the http server.

In Adsiedit I can see that

CN=SERVERNAME,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DCLIST

is a container

ldap:///CN=CANAME,CN=SERVERNAME,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DCLIST

is a cRLDistributionPoint and

ldap:///CN=CANAME(1),CN=SERVERNAME,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DCLIST

does not exist

My CDP extensions are

C:\Windows\System32\CertSrv\CertEnroll\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
ldap:///CN=<CATruncatedName><CRLNameSuffix>,CN=<ServerShortName>,CN=CDP,CN=Public

Key Services,CN=Services, http:///pki/.crl

My AIA extensions are

C:\Windows\system32\CertSrv\CertEnrol\<ServerDNSName>_<CaName><CertificateName>.crt
ldap:///CN=<CATruncatedName>,CN=AIA,CN=Public Key
Services,CN=Services,<ConfigurationContainer><CAObjectClass>
http://<ServerDNSName>/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt