To use credential roaming, all of your organization's domain controllers should be running Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003 Service Pack 1 (SP1). In addition, clients used for credential roaming must also be running Windows 7, Windows Vista, Windows XP Service Pack 2 (SP2), Windows Server 2003 SP1, or Windows Server 2008.

If you have at least one domain controller running Windows Server 2008 R2 or Windows Server 2008 in your Active Directory environment, you can use Group Policy to configure credential roaming.

If you do not have a domain controller running Windows Server 2008 R2 or Windows Server 2008, you must complete the following steps before configuring credential roaming through Group Policy:

  1. Prepare Active Directory Domain Services (AD DS). AD DS needs to be prepared to store users' certificates, keys, and Data Protection application programming interface (DPAPI) master keys.

  2. Exclude directories in roaming profiles. If roaming profiles are used, certain directories have to be excluded from roaming to avoid conflicts with credential roaming.

  3. Install the Group Policy ADM template. Credential roaming will be enabled through a Group Policy ADM template that sets the appropriate registry values on a client computer.

For assistance with these preparatory steps in networks with domain controllers that are still running Windows Server 2003, see Configuring and Troubleshooting Certificate Services Client–Credential Roaming (

Membership in Enterprise Admins or Domain Admins, or equivalent, is the minimum required to complete this procedure. For more information, see Implement Role-Based Administration.

To configure credential roaming for a domain by using Group Policy
  1. On a domain controller running Windows Server 2008 R2 or Windows Server 2008, click Start, point to Administrative Tools, and then click Group Policy Management.

  2. In the console tree, double-click Group Policy Objects in the forest and domain containing the Default Domain Policy Group Policy object (GPO) that you want to edit.

  3. Right-click the Default Domain Policy GPO, and then click Edit.

  4. In the Group Policy Management Console (GPMC), go to User Configuration, Windows Settings, Security Settings, and then click Public Key Policies.

  5. Double-click Certificate Services Client - Credential Roaming.

  6. Click Enabled to configure credential roaming or Disabled to block its use.

  7. If you clicked Enabled, you can also customize the following options:

    • Maximum tombstone credentials lifetime in days. Allows you to define how long a roaming credential will remain in AD DS for a certificate or key that has been deleted locally.

    • Maximum number of roaming credentials per user. Allows you to define a maximum number of certificates and keys that can be used with credential roaming.

    • Maximum size (in bytes) of a roaming credential. Allows you to restrict roaming for credentials that exceed a defined size.

    • Roam stored user names and passwords. Allows you to include or exclude stored user names and passwords from the credential roaming policy.

  8. Click OK to accept your changes.

The default options for credential roaming in step 7 will be acceptable to many organizations. However, credential roaming can affect the size of the Active Directory database if an organization has a large number of users and credentials. For information that can help you estimate the potential impact of credential roaming on your Active Directory database, see Configuring and Troubleshooting Certificate Services Client–Credential Roaming (