locked
ADMIN_LIMIT_EXCEEDED could not publish Certificate to a specific DC RRS feed

  • Question

  • Hi Everyone,

    Our Ops Manager is reporting following error on just one of our 2008 R2 DC's (we have a mix of 2008 R2 and 2012 R2 DCs), we've had cert services in place since 2011.

    Event Description: Active Directory Certificate Services could not publish a Certificate for request xxxxxx to the following location on server DC1: CN=DC,OU=Domain Controllers,DC=domain,DC=com. The administrative limit for this request was exceeded. 0x80072024 (WIN32: 8228). ldap: 0xb: 00002024: SvcErr: DSID-020509F2, problem 5008 (ADMIN_LIMIT_EXCEEDED), data -1026

    The Cert Store DB is 1.76Gb in size. Using LDP, I've checked userCertificate on the DC and note: (1193)

    dsquery * "cn=Schema,cn=Configuration,dc=domain,dc=com" -filter "(LDAPDisplayName=userCertificate)" -attr rangeUpper

    32768

    I've checked:

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/83087f21-ba51-414d-9202-badea56ba83b/administrative-limit-was-exceeded?forum=winserverDS

    https://social.technet.microsoft.com/Forums/office/en-US/83c83ee3-7374-4393-ab26-8c5257b555e8/server-2008-r2-certificate-authority-event-id-80?forum=winservergen

    https://www.sysadmins.lv/blog-en/how-to-remove-expired-user-certificates-from-active-directory.aspx

    Is the issue due to having too many expired certificates?

    Thanks!

    Monday, November 14, 2016 10:34 PM

Answers

  • Those types of certificates do not need to be published to AD. I would uncheck the Publish to Active Directory checkbox on the templates you are using for these purposes.

    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. He is also co-founder of Revocent (revocent.com) and its CertAccord product that offers Linux certificate enrollment from a Microsoft CA. Connect with Mark at https://www.pkisolutions.com

    Tuesday, November 15, 2016 9:26 PM

All replies

  • What certificate is the DC enrolling for? Most likely it does not need to be published to AD unless you are doing AD replication via eMail which no one does anymore. The certificate attribute may need to be cleaned out so it can enroll again, but the root cause of the publishing should be determined.

    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. He is also co-founder of Revocent (revocent.com) and its CertAccord product that offers Linux certificate enrollment from a Microsoft CA. Connect with Mark at https://www.pkisolutions.com

    Tuesday, November 15, 2016 1:58 AM
  • Hi Mark

    Thanks for the reply. IAS and SCOM. All are published to AD. I will take a look at clean out the certificate attribute.

    Tuesday, November 15, 2016 9:25 PM
  • Those types of certificates do not need to be published to AD. I would uncheck the Publish to Active Directory checkbox on the templates you are using for these purposes.

    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. He is also co-founder of Revocent (revocent.com) and its CertAccord product that offers Linux certificate enrollment from a Microsoft CA. Connect with Mark at https://www.pkisolutions.com

    Tuesday, November 15, 2016 9:26 PM