Credential Roaming and NTDS.dit bloat

Article
06/14/2011

Following up on a previous post about Credential Roaming (aka DIMS): http://blogs.technet.com/b/instan/archive/2009/05/26/considerations-for-implementing-credential-roaming.aspx

With a recent DCR to Windows 7 & W2k8 R2 (http://support.microsoft.com/kb/2520487) it is now possible to filter out specific types of credentials from the credentials that will roam to your AD database.

Post-hotfix default behaviour is to not roam unaffiliated keys, unused keys and smartcard certificates.

The caveats here are:

This is a client-side fix for Windows 7 / Windows 2008 R2* - legacy clients will still roam the above keys.
Implementing this fix on the client-side after the above keys have already been roamed to the AD Database will not remove them from the NTDS.dit file on the DC's (i.e. its a preventitive fix - not a reactive fix).

*this fix has been ported to W2k8/Vista since this post was written.

Further details:

AD DS database size increases significantly when the Credential Roaming feature is enabled in Windows 7 or in Windows Server 2008 R2
http://support.microsoft.com/kb/2520487

Credential Roaming and NTDS.dit bloat

Additional resources