Symptoms

  • Publishing a certificate revocation list (CRL) to AD LDS or ADAM fails
  • The publishing method could be certutil.exe or a directory synchronization tool

Eventlog

You may see events similar to the following:

Log Name:  ADAM (Instance-Name)

Event ID 1216

Source:  ADAM [Instance-Name] LDAP
Date:  3/23/2011 9:51:09 AM
Event ID:  1216
Task Category: LDAP Interface
Level:  Warning
Keywords:  Classic
User:  N/A
Computer:  DNS-Name
Description:
Internal event: An LDAP client connection was closed because of an error. 
 
Client IP:
192.168.1.5:12345 
 
Additional Data 
Error value:
8 Not enough storage is available to process this command. 
Internal ID:
c0604cb

Event ID 1535

Log Name:  ADAM (Instance-Name)
Source:  ADAM [Instance-Name] LDAP
Date:  3/23/2011 9:51:09 AM
Event ID:  1535
Task Category: LDAP Interface
Level:  Information
Keywords:  Classic
User:  ANONYMOUS LOGON
Computer:  DNS-Name
Description:
Internal event: The LDAP server returned an error. 
 
Additional Data 
Error value:
00000008: LdapErr: DSID-0C0604D1, comment: The server did not have enough resources to process the request, data 0, v1db0

Cause

The CRL is too large to be accepted by the LDAP interface, and the maximum size allowed for the certificateRevocationList attribute is being exceeded as well.

Resolution

You need to make two changes:

  1. Change the MaxReceiveBuffer size for the AD LDS/ADAM instance to accept a size that is larger than the largest CRL you expect. The default setting is 10MB.  
  2.  Change the RangeUpper value for the certificateRevocationList attribute in the AD LDS/ADAM schema to a size that is larger than the largest CRL you expect. The default setting is 10MB.