Huge folder - Application data\microsoft\crypto\rsa\machine ke
in [Windows Servers]
|
Prev: ntbackup not compressing using HP DAT72 Drive
Next: Error installing Microsoft Provisioning Framework
From: fox1977 on 28 Nov 2006 15:05 Just compressed the folder and it is still the same size! Damn I have noticed in the event log the time is out of sync with the domain controller by about 11 mins and the machine is reporting a problem applying the group policy. There was also an error in the system log about the server time being to far out of sync with the domain controller. Here are a few of the error messages: - Windows cannot determine the user or computer name. (Access is denied. ). Group Policy processing aborted. - Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this. (the previous message is the one about the time being too far out of sync with the domain controller) - Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=nmspace,DC=net. The file must be present at the location <\\mydomain.net\sysvol\mydomain.net\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (Configuration information could not be read from the domain controller, either because the machine is unavailable, or access has been denied. ). Group Policy processing aborted. Do you think these issues are related or am I barking up the wrong tree? Thanks, getting in urgent need now :-( "mtstream" wrote: > I don't know the specific impact of compressing this folder, but would be > very concerned with changes to it on a IIS production box. You need to know > more about how/why IIS is creating so many keys. > > When I need space I go after the NTuninstall directories in the %systemroot% > these aren't huge (a few mb each on average) but you may have 100+. I'll > keep the last month or two and remove the rest. It's not a long term fix but > may buy you some time to figure something else out. > > If you're eating up 50mb a day you need a far more dramatic change than > compressing some folders. > > "fox1977" wrote: > > > Hi there, > > > > I am running a number of windows 2003 sp1 web servers. I am running > > low on disk space on the system disc on one of them. Down to about 195 mb > > today from 250mb yesterday. > > > > After exploring the different folders i have come across a rather large > > folder that is 1 gb in size and contains over 300,000 files. The > > folder is here: > > > > C:\Documents and Settings\All Users\Application > > Data\Microsoft\Crypto\rsa\machine keys > > > > Does anyone know what this folder contains or why it is so big. On > > another similar server the same folder is only 116k and contains 29 > > files. > > > > I am running IIS with a large number of sites and some of them have SSL > > certificates attached to them. I have recently added two new certificates to > > the server in the past few days and i think this is why is has dropped a bit > > in the past few days. > > > > As i am drastically running out of room is it ok just to compress this > > folder? Can anyone offer any tips on how to reduce the size of this folder? > > I don't want to delete the folder as i'm sure the machine will grind to a > > halt! > > > > Any tips much appreciated. Getting a bit urgent now. Got to start > > compressing the folder about 19:00 gmt. > > > > Cheers
From: mtstream on 28 Nov 2006 16:09 You definitely need to fix the time sync. That should make the GPO issues go away. If not check the security settings on the sysvol. Here's an article on how to manually sync the time http://support.microsoft.com/default.aspx/kb/555225/en-us Will the time issue cause the additional creation of machine keys? I don't know. I think you've got an IIS issue - issue may be the wrong word it may not be malfunctioning but doing what is required by a particular web page. You may want to try the IIS group for some additional ideas. Including moving sites to another box or virtual directories somewhere else. "fox1977" wrote: > Just compressed the folder and it is still the same size! Damn > > I have noticed in the event log the time is out of sync with the domain > controller by about 11 mins and the machine is reporting a problem applying > the group policy. > > There was also an error in the system log about the server time being to far > out of sync with the domain controller. Here are a few of the error messages: > > - Windows cannot determine the user or computer name. (Access is denied. ). > Group Policy processing aborted. > > - Windows cannot query for the list of Group Policy objects. Check the event > log for possible messages previously logged by the policy engine that > describes the reason for this. (the previous message is the one about the > time being too far out of sync with the domain controller) > > - Windows cannot access the file gpt.ini for GPO > CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=nmspace,DC=net. > The file must be present at the location > <\\mydomain.net\sysvol\mydomain.net\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. > (Configuration information could not be read from the domain controller, > either because the machine is unavailable, or access has been denied. ). > Group Policy processing aborted. > > Do you think these issues are related or am I barking up the wrong tree? > > Thanks, getting in urgent need now :-( > > "mtstream" wrote: > > > I don't know the specific impact of compressing this folder, but would be > > very concerned with changes to it on a IIS production box. You need to know > > more about how/why IIS is creating so many keys. > > > > When I need space I go after the NTuninstall directories in the %systemroot% > > these aren't huge (a few mb each on average) but you may have 100+. I'll > > keep the last month or two and remove the rest. It's not a long term fix but > > may buy you some time to figure something else out. > > > > If you're eating up 50mb a day you need a far more dramatic change than > > compressing some folders. > > > > "fox1977" wrote: > > > > > Hi there, > > > > > > I am running a number of windows 2003 sp1 web servers. I am running > > > low on disk space on the system disc on one of them. Down to about 195 mb > > > today from 250mb yesterday. > > > > > > After exploring the different folders i have come across a rather large > > > folder that is 1 gb in size and contains over 300,000 files. The > > > folder is here: > > > > > > C:\Documents and Settings\All Users\Application > > > Data\Microsoft\Crypto\rsa\machine keys > > > > > > Does anyone know what this folder contains or why it is so big. On > > > another similar server the same folder is only 116k and contains 29 > > > files. > > > > > > I am running IIS with a large number of sites and some of them have SSL > > > certificates attached to them. I have recently added two new certificates to > > > the server in the past few days and i think this is why is has dropped a bit > > > in the past few days. > > > > > > As i am drastically running out of room is it ok just to compress this > > > folder? Can anyone offer any tips on how to reduce the size of this folder? > > > I don't want to delete the folder as i'm sure the machine will grind to a > > > halt! > > > > > > Any tips much appreciated. Getting a bit urgent now. Got to start > > > compressing the folder about 19:00 gmt. > > > > > > Cheers
From: Brian Delaney [MSFT] on 29 Nov 2006 18:17
Hi, Time Sync as mentioned is a must to fix. It could potentially be a contributing factor in the problem. I haven't seen this happen before but I did a quick test and have a theory on something that could cause this (assuming of course you don't have 300000.certificates installed on that machine :)) The Crypto\RSA\MachineKeys folder stores the private key of each certificate on the machine. Whenever a certificate request is generated for the machine, a new file is created in this location. This is true even if the certificate request fails. My test included creating a certificate template that I knew my computers would fail when requesting and publishing it to one of my enterprise issuing CAs, granting my computers Read, Enroll and Autoenroll permissions. I then repeatedly forced autoenrollment on a few of the machines and found that every time this was done a new private key was created in the MachineKeys folder and the CA logged a failed certificate request. Given enough time the number of private keys in this store could potentially be in the 100000+ What I would recommend doing is checking all Enterprise CAs you have in the environment and looking for failed certificate requests. If you can find a significant amount, investigate the certificate template listed in the error and correct it or unpublish it from all the CAs. Once corrected/unpublished wait 24 hours to see if the buildup in the MachineKeys folder stops. Of course there are other ways that this could build up, the most likely culprit however is autoenrollment. If autoenrollment is not the issue at hand here, check for any batch jobs on the machiens that may cause a manual enrollment using certreq for example. Hope this helps, Brian Delaney Microsoft Canada -- This posting is provided "AS IS" with no warranties, and confers no rights. -------------------- >Thread-Topic: Huge folder - Application data\microsoft\crypto\rsa\machine ke >thread-index: AccTMW3OcySXELtjSXG34RukowdS1Q== >X-WBNR-Posting-Host: 69.15.29.110 >From: =?Utf-8?B?bXRzdHJlYW0=?= <mtstream(a)discussions.microsoft.com> >References: <9E494DBF-A215-49A8-B1CB-1F882BCA33EE(a)microsoft.com> <2DAE362B-17D8-4D28-9AF1-835EE7556582(a)microsoft.com> <AC7D7031-1395-4D04-9824-0C18141135F4(a)microsoft.com> >Subject: RE: Huge folder - Application data\microsoft\crypto\rsa\machine ke >Date: Tue, 28 Nov 2006 13:09:02 -0800 > >You definitely need to fix the time sync. That should make the GPO issues go >away. If not check the security settings on the sysvol. Here's an article >on how to manually sync the time >http://support.microsoft.com/default.aspx/kb/555225/en-us > >Will the time issue cause the additional creation of machine keys? I don't >know. I think you've got an IIS issue - issue may be the wrong word it may >not be malfunctioning but doing what is required by a particular web page. > >You may want to try the IIS group for some additional ideas. Including >moving sites to another box or virtual directories somewhere else. > >"fox1977" wrote: > >> Just compressed the folder and it is still the same size! Damn >> >> I have noticed in the event log the time is out of sync with the domain >> controller by about 11 mins and the machine is reporting a problem applying >> the group policy. >> >> There was also an error in the system log about the server time being to far >> out of sync with the domain controller. Here are a few of the error messages: >> >> - Windows cannot determine the user or computer name. (Access is denied. ). >> Group Policy processing aborted. >> >> - Windows cannot query for the list of Group Policy objects. Check the event >> log for possible messages previously logged by the policy engine that >> describes the reason for this. (the previous message is the one about the >> time being too far out of sync with the domain controller) >> >> - Windows cannot access the file gpt.ini for GPO >> CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=nmspace,D C=net. >> The file must be present at the location >> <\\mydomain.net\sysvol\mydomain.net\Policies\{31B2F340-016D-11D2-945F-00C04F B984F9}\gpt.ini>. >> (Configuration information could not be read from the domain controller, >> either because the machine is unavailable, or access has been denied. ). >> Group Policy processing aborted. >> >> Do you think these issues are related or am I barking up the wrong tree? >> >> Thanks, getting in urgent need now :-( >> >> "mtstream" wrote: >> >> > I don't know the specific impact of compressing this folder, but would be >> > very concerned with changes to it on a IIS production box. You need to know >> > more about how/why IIS is creating so many keys. >> > >> > When I need space I go after the NTuninstall directories in the %systemroot% >> > these aren't huge (a few mb each on average) but you may have 100+. I'll >> > keep the last month or two and remove the rest. It's not a long term fix but >> > may buy you some time to figure something else out. >> > >> > If you're eating up 50mb a day you need a far more dramatic change than >> > compressing some folders. >> > >> > "fox1977" wrote: >> > >> > > Hi there, >> > > >> > > I am running a number of windows 2003 sp1 web servers. I am running >> > > low on disk space on the system disc on one of them. Down to about 195 mb >> > > today from 250mb yesterday. >> > > >> > > After exploring the different folders i have come across a rather large >> > > folder that is 1 gb in size and contains over 300,000 files. The >> > > folder is here: >> > > >> > > C:\Documents and Settings\All Users\Application >> > > Data\Microsoft\Crypto\rsa\machine keys >> > > >> > > Does anyone know what this folder contains or why it is so big. On >> > > another similar server the same folder is only 116k and contains 29 >> > > files. >> > > >> > > I am running IIS with a large number of sites and some of them have SSL >> > > certificates attached to them. I have recently added two new certificates to >> > > the server in the past few days and i think this is why is has dropped a bit >> > > in the past few days. >> > > >> > > As i am drastically running out of room is it ok just to compress this >> > > folder? Can anyone offer any tips on how to reduce the size of this folder? >> > > I don't want to delete the folder as i'm sure the machine will grind to a >> > > halt! >> > > >> > > Any tips much appreciated. Getting a bit urgent now. Got to start >> > > compressing the folder about 19:00 gmt. >> > > >> > > Cheers > |