Spat's WebLog (Steve Patrick)

When things go wrong...

Credential Roaming hotfix...

Credential Roaming hotfix...

  • Comments 1

 

Just a slight detour from our debugging stuff for some new info on credential roaming\DIMS ...

http://support.microsoft.com/?id=934797

The size of the Ntds.dit file on the domain controller grows continually larger after you enable the "Credential Roaming" feature for Windows Vista-based client computers in the domain

 

Well now, that can't be good can it. If you use cred roaming for Vista clients - better get this on there.

 

spatdsg

 

Leave a Comment
  • Please add 5 and 3 and type the answer here:
  • Post
  • CLASS USER

    CATEGORY  !!DIMS

    KEYNAME "Software\Policies\Microsoft\Cryptography\AutoEnrollment"

    POLICY !!DIMSCredentialRoaming

    EXPLAIN !!DIMSCredentialRoaming_Explain

    VALUENAME "DIMSRoaming"

    VALUEON NUMERIC 1

    PART !!DIMSCredentialRoaming_Vista TEXT

    END PART

    PART !!DIMSCredentialRoaming_Vista_Explain TEXT

    END PART

    PART !!DIMSCredentialRoaming_Box TEXT

    END PART

    PART !!DIMSCredentialRoaming_TombstoneValue NUMERIC REQUIRED

    VALUENAME "DIMSRoamingTombstoneDays"

    MIN 1 MAX 3650 DEFAULT 60 SPIN 30

    END PART

    PART !!DIMSCredentialRoaming_MaxNumTokens NUMERIC REQUIRED

    VALUENAME "DIMSRoamingMaxNumTokens"

    MIN 1 MAX 10000 DEFAULT 2000 SPIN 100

    END PART

    PART !!DIMSCredentialRoaming_MaxTokenSize NUMERIC REQUIRED

    VALUENAME "DIMSRoamingMaxTokenSize"

    MIN 1 MAX 100000 DEFAULT 65535 SPIN 1000

    END PART

    END POLICY

    END CATEGORY

    [strings]

    DIMS="Certificate Services Client"

    DIMSCredentialRoaming_Explain="NOTE: If you want to configure Credential Roaming on a Windows Vista client, then don't use this policy. Instead use the Group Policy that is natively included in Windows Vista. \n\nThis policy setting specifies the behavior for user Credential Roaming.\n\nUser certificates and keys will be roamed and synchronized between the local user profile on the desktop and the user object in Active Directory when a user logs on interactively.  \n\nIf you enable this policy setting, all X.509 certificates, keys, and enrollment requests will be uploaded and synchronized with the user object in Active Directory. You should also enable folder exclusion policies for roaming user profiles to avoid any conflicts in the use of multiple roaming technologies.\n\nIf this policy is enabled, then the Application Data folder should not be redirected using the Folder Redireciton technology. \n\nIf you disable this policy setting, all future synchronization and roaming will cease, but no keys or certificates will be deleted from the local user profile or Active Directory user object.\n\nIf you do not configure this policy setting, user certificate and key roaming will not be performed.\n\nNote: Folder exclusion policy settings may be configured in the user profiles section of the System administrative template.\n\n"

    DisableAll="None"

    DIMSCredentialRoaming="Credential Roaming"

    DIMSCredentialRoaming_Vista="NOTE: Not for environments with Vista clients."

    DIMSCredentialRoaming_Vista_Explain="See Explain tab for more details."

    DIMSCredentialRoaming_Box="Specific Credential Roaming settings:"

    DIMSCredentialRoaming_TombstoneValue="Maximum tombstone credentials lifetime in days:"

    DIMSCredentialRoaming_MaxNumTokens="Maximum number of roaming credentials per user:"

    DIMSCredentialRoaming_MaxTokenSize="Maximum size (in bytes) of a roaming credential:"

Page 1 of 1 (1 items)