This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 54%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFG%3C/text%3E%3C/svg%3E)
While going thru some logs recently, I came across Event ID 1093, and that I have an AD object that exceeds the maximum object record size.
The offending AD object is a domain controller I had issues with a week or so ago that required me to demote it, remove it from the domain, and start over again. At any rate, it appears that over that period it accumulated over 1000 certificates from our CA. The CA only lists about 20 certs as being issued (there probably should only be 4, but that's a problem for another day), so I'm thinking these are stale from when I removed and put back this DC?? You'd think that the CA would still list these hundreds of certs as having been issued, but nope. I know that the CA allegedly issued these certs as its authority key identifier is all over the issued certs. Is there a safe way to remove these extra certs from the AD object?
Thanks!
So.... is it safe for me to just delete everything out of "userCertificate" if I back up the actual certificates on the DC? Do I just remove the extra data out of that attribute? And if so, how do I know which ones are the 4 valid ones? Kinda hard to parse all those octets, and I can't really do a search (using the Attribute Editor) to match up the data in the attribute with the signature from the cert(s). I'm not sure which octets relate to what.