Microsoft KB Archive/282088

= Cannot Publish More Than 800 Certificates to Active Directory Object =

PSS ID Number: 282088

Article Last Modified on 10/21/2003

-

The information in this article applies to:


 * Microsoft Windows Server 2003, Standard Edition
 * Microsoft Windows Server 2003, Enterprise Edition
 * Microsoft Windows Small Business Server 2003, Premium Edition
 * Microsoft Windows Small Business Server 2003, Standard Edition

-



This article was previously published under Q282088



SYMPTOMS
When you backed out (reversed) one or more attribute changes, the Windows NT Directory Services (NTDS) Replication events could be successfully replicated.



CAUSE
This problem can occur because there is a limitation of 800 certificates for each Active Directory object and 800 cross certificates for each certification authority (CA).



RESOLUTION
To resolve this problem, you must not exceed more than 800 certificates for each Active Directory object or 800 cross certificates for each CA. For more than 800 cross certificates, you must use more than one CA.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.



MORE INFORMATION
There is currently an Active Directory object limitation of a maximum of 800 certificates in the crossCertificatePair attribute. If there is more than 800 entries, domain controller replication is unsuccessful. The crossCertificatePair attribute can be found in the following location:

CN= ,CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC= ,DC= ?crossCertificatePair: ;

The Auto-enrollment feature in Windows Server 2003 can &quot;clean up&quot; a user object's expired and revoked certificates if the user has enrolled for a certificate with a template of the same type.

For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

280746 How to Cross-Certify a Windows 2000 Certification Authority

Keywords: kbenv kbprb KB282088

Technology: kbSBServ2003Pre kbSBServ2003Search kbSBServ2003St kbSBServSearch kbWinServ2003Ent kbWinServ2003EntSearch kbWinServ2003Search kbWinServ2003St

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© 2004 Microsoft Corporation. All rights reserved.