Credential Roaming and NTDS.dit bloat

Following up on a previous post about Credential Roaming (aka DIMS):

With a recent DCR to Windows 7 & W2k8 R2 ( it is now possible to filter out specific types of credentials from the credentials that will roam to your AD database.

Post-hotfix default behaviour is to not roam unaffiliated keys, unused keys and smartcard certificates.

The caveats here are:

  • This is a client-side fix for Windows 7 / Windows 2008 R2* - legacy clients will still roam the above keys.
  • Implementing this fix on the client-side after the above keys have already been roamed to the AD Database will not remove them from the NTDS.dit file on the DC's (i.e. its a preventitive fix - not a reactive fix).

*this fix has been ported to W2k8/Vista since this post was written.


Further details:

AD DS database size increases significantly when the Credential Roaming feature is enabled in Windows 7 or in Windows Server 2008 R2


Comments (0)

Skip to main content