This article has been archived. It is offered "as is" and will no longer be updated.
After you enable the Credential Roaming feature for Windows Vista-based client computers in a domain, the size of the Ntds.dit file on the domain controller grows continually larger. Additionally, when Active Directory database changes are replicated to other domain controllers in the domain, the size of the Ntds.dit files on the other domain controllers also grows larger. Therefore, this growth eventually occurs on all domain controllers in the domain.
In the original release version of Windows Vista, the Credential Roaming feature works incorrectly when the same account logs on to more than one Windows Vista-based computer. Additionally, this problem occurs when a client in the domain logs on to different Windows Vista-based computers by using the same account. This account has certificates that contain Cryptography Next Generation (CNG) keys. In this scenario, the certificates are refreshed every time that the Credential Roaming service is invoked from these Windows Vista-based computers.
Service pack information
To resolve this problem, obtain the latest service pack for Windows Vista. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
935791 How to obtain the latest Windows Vista service pack
A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.
Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
No prerequisites are required.
You do not have to restart the computer after you apply this hotfix.
Hotfix replacement information
This hotfix does not replace any other previously released hotfixes.
To use one of the hotfixes in this package, you do not have to make any changes to the registry.
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Windows Vista, 32-bit versions
Windows Vista, 64-bit versions
To work around this problem, disable the Credential Roaming feature for the accounts whose certificates contain CNG keys. To do this, put the accounts whose certificates contain CNG keys in a group. Then, exclude this group from the Group Policy setting that enables the Credential Roaming feature.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. This problem was first corrected in Windows Vista Service Pack 1.
The Credential Roaming feature enables you to use a single set of the following items on multiple computers in a domain:
Certificates key material
The credentials are stored in an encrypted format as part of the Active Directory user object.
The growth of the Ntds.dit file may occur after the Credential Roaming feature is enabled because certificates are added to the accounts. Normal growth of the Ntds.dit file occurs within 24 to 48 hours after the Group Policy setting that enables the Credential Roaming feature is applied to the clients in the domain. Additionally, the certificates of the accounts are refreshed when they are changed.
Unexpected growth of the Ntds.dit file is sometimes regarded as “DIT Bloat.” This unexpected growth can have multiple root causes. The specific cause described in this Microsoft Knowledge Base article relates to the Credential Roaming feature.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates