Tuesday, January 08, 2013 9:24 PM
I found this thread about estimating the size increase in the NTDS.dit file after enabling Credential Roaming:
It provides this formula: (((CertificateSizeInByte + KeySizeInByte) * (#UserCertificates * #PastCertificateRenewals * #Machines) + (DPAPIkey * ProfileAgeInYears * 4) + DPAPIpreferredfile + (#StoredUserNamesAndPasswords * 400)) / 1024
However, since this was published a hotfix was released to decrease the database size:
I'm wondering how to calculate the impact of Credential Roaming on the NTDS.dit file after applying this hotfix.
Thursday, January 10, 2013 4:03 AMModerator
Thanks for posting in Microsoft TechNet forums.
As we can see in KB2520487, the hotfix enables the Credential Roaming to filter user credentials before it uploads them. It prevents the addition of unnecessary credential information/impact on the AD DS database. It means that the issue mentioned in that blog was fixed by the hotfix.
Please feel free to let us know if you have any further question or concern.
Thursday, January 10, 2013 4:52 PM
The blog strongly recommends estimating the size increase to the Active Directory database before deploying credential roaming. Are you saying this is no longer necessary with the hotfix?
Monday, January 14, 2013 2:20 AMModeratorHi Josh,
The blog was posted in 2009 and the hotfix was published in 2012. Yes, we do not need to worry about the issue mentioned in that blog after applying that hotfix.
Tuesday, January 15, 2013 4:20 PM
I require a way to estimate the impact of Credential Roaming on NTDS.dit size before deploying to 50,000+ users. Even if the hotfix cuts down on the number of items stored in the AD database, there must still be some size impact, correct? Unless you are saying the hotfix prevents any increase in size of the AD database I don't understand how you can say we don't need to worry about the impact of the size increasing due to credential roaming without even knowing the number of users and the number of certificates and keys that will be roamed.
Monday, February 18, 2013 8:27 PM
not sure if your question was every answered. Here is my expierence.
We did the estimate after we enabled credential roaming by deleting the users with credential roaming attributes from a copy of the DIT. In our case the average size of an user object is ~100kb with credential roaming and ~18kb without. We are using those values for DIT size estimation. The number for credential roaming we figured is higher what we calculated with the formula MS.
I hope that helps. Olaf
Monday, February 18, 2013 9:08 PM
Thank you for the response. Was the 100kb average after you applied the hotfix? Is your environment all Windows 7/Windows Server 2008 R2? Do you have any XP/Vista/Server 2003/Server 2008?
Wednesday, February 20, 2013 4:24 PM
our DIT size almost doubled due to missing the patch and we cleared all attributes after the patch was rolled outto the workstations. Later we did the investigation and it came with ~100kb for a user object with credential roaming attributes populated. We have Win7 machines only and don't roam credentials on our servers. AD is FFL/DFL 2008R2.
Hope that helps. Olaf