Enabling Universal Group Membership Caching in a Site

In a multidomain forest, when a user logs on to a domain, a global catalog server must be contacted to determine the universal group memberships of the user. A universal group can contain users from other domains, and it can be applied to access control lists (ACLs) on objects in all domains in the forest. Therefore, universal group memberships must be ascertained at domain logon so that the user has appropriate access in the domain and in other domains during the logon session. Only global catalog servers store the memberships of all universal groups in the forest.

If a global catalog server is not available in the site when a user logs on to a domain, the domain controller must contact a global catalog server in another site.

In multidomain forests where remote sites do not have a global catalog server, the need to contact a global catalog server over a potentially slow wide are network (WAN) connection can be problematic and a user can potentially be unable to log on to the domain if a global catalog server is not available. You can enable Universal Group Membership Caching on domain controllers that are running Windows Server 2008 so that when the domain controller contacts a global catalog server for the user’s initial domain logon, the domain controller retrieves universal group memberships for the user. On subsequent logon requests by the same user, the domain controller uses cached universal group memberships and does not have to contact a global catalog server.

 Simple:
Universal Group Membership Caching is most practical for smaller branch offices with low capacity servers, which cannot handle additional load of hosting a GC, or locations that have extremely slow WAN connections.

When a user attempts to log on for the first time, the Domain Controller obtains the universal group membership for that user from a Global Catalog. This information is cached on the Domain Controller for that site indefinitely and is periodically refreshed in every 8 hours. Up to 500 universal group memberships can be updated at once.

UGMC can be enabled on a Site level, not on DC level 

The benefits of Universal Group Membership Caching are
• Faster logon times.
• Hardware upgradation to support Global Catalog is not required
• Low network bandwidth consumption.  

Task requirements

The following tool is required to perform the procedures for this task:

• Active Directory Sites and Services

To complete this task, perform the following procedure:

• Enable Universal Group Membership Caching in a Site