Part 2: Maintaining Active Directory objects – 2.11 : Universal Group Caching
Requires a global catalog for a user login
If no GC available during login
Local cache credentials used if available.
When a user authenticates from the domain controller, the domain controller will contact a global catalog server in order to determine the universal group membership for that user. This information, once obtained, is stored on the Domain Controller forever. To make sure the cache is keep up to date, the cache is updated from a global catalog server every 8 hours.
Cannot access network resources
*server will always double check what’s being accessed
UGMC In simpler words,
Enabled in sites and services in properties of NTDS site services under the site
Universal caching is stored forever – updated in every 8 hours
Caching only used if Global Catalog server is not availale.
You can enable or disable universal group membership caching by following these steps:
1. In Active Directory Sites And Services, expand and then select the site you want to work with.
2. In the details pane, right-click NTDS Site Settings, and then click Properties.
3. To enable universal group membership caching, select the Enable Universal Group Membership Caching check box on the Site Settings tab. Then, in the Refresh Cache From list, choose a site from which to cache universal group memberships. The selected site must have a working global catalog server.
4. To disable universal group membership caching, clear the Enable Universal Group Membership Caching check box on the Site Settings tab.
5. Click OK.
When you cache universal group membership locally, any domain controller can resolve logon requests locally without having to go through a global catalog server. This allows for faster logons and makes managing server outages much easier because your domain isn’t relying on a single server or a group of servers for logons. This solution also reduces replication traffic. Instead of replicating the entire global catalog periodically over the network, only the universal group membership information in the cache is refreshed. By default, a refresh occurs every eight hours on each domain controller that’s caching membership locally.
Universal group membership caching is site-specific. Remember, a site is a physical directory structure consisting of one or more subnets with a specific IP address range and network mask. The domain controllers running Windows Server and the global catalog they’re contacting must be in the same site. If you have multiple sites, you need to configure local caching in each site. Additionally, users in the site must be part of a Windows domain running in Windows Server 2003 or higher functional mode.