Event ID 1093 and a really weird cert issue

Question

While going thru some logs recently, I came across Event ID 1093, and that I have an AD object that exceeds the maximum object record size.

The offending AD object is a domain controller I had issues with a week or so ago that required me to demote it, remove it from the domain, and start over again. At any rate, it appears that over that period it accumulated over 1000 certificates from our CA. The CA only lists about 20 certs as being issued (there probably should only be 4, but that's a problem for another day), so I'm thinking these are stale from when I removed and put back this DC?? You'd think that the CA would still list these hundreds of certs as having been issued, but nope. I know that the CA allegedly issued these certs as its authority key identifier is all over the issued certs.

Is there a safe way to remove these extra certs from the AD object?

Thanks!

Answer 1

Hello,

Thank you for posting in Q&A forum.

You can use the method in the following link to export the user data of a user object that has reached the maximum object size. Then, identify the relevant certificates through a script and decide which unneeded certificates can be deleted from this user object.

https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/ntds-replication-warning-event-id-1093

I hope the information above is helpful.

Best regards

Zunhui

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.