A: Roaming user profiles give users access to the same user profile information from different workstations they log on to in a Windows domain. User names and passwords can be cached in a Windows machine’s local credential manager, and Microsoft has supported a credential roaming mechanism in Windows since Windows Server 2003 SP1 and Windows XP SP2. The mechanism was enhanced in Windows Vista and Windows Server 2008.

In Windows Server 2003 SP1, credential roaming lets Windows domain users access their public key infrastructure (PKI) private keys and certificates from any workstation they log on to in the Windows domain. Their credentials can roam with them thanks to the Digital Identity Management Service (DIMS)—a built-in Windows service. DIMS stores a secured copy of a user's PKI credentials in the user’s AD object and keeps them synchronized with the local PKI credentials that are stored in the user’s certificate store and private key store on the workstation.

For a more complete description of credential roaming as Microsoft introduced it in Windows Server 2003 SP1, refer to my article, Roam, roam in the domain. This credential roaming functionality can also be added to Windows XP SP2, if you install the hotfix described in this Microsoft article. On Vista and Server 2008, credential roaming also supports roaming user names and passwords, in addition to roaming PKI credentials. This roaming functionality, however, is only available to users when they roam between Vista or Server 2008 machines.

To support credential roaming in Active Directory (AD), your AD must have the DIMS schema extensions. These extensions are included by default in the Server 2008 AD schema but must be added manually to the schema in Windows 2000 SP3 and SP4 and Server 2003 SP1 and SP2. Instructions for extending the AD schema to support DIMS and many more details on credential roaming can be found in the Microsoft Technet article Configuring and Troubleshooting Certificate Services Client Credential Roaming.

Related Reading: