Active Directory

How to enable Universal Group Membership Caching

How to enable Universal Group Membership Caching

We generally recommend deployment of a global catalog server rather than the enabling of universal group membership in remote sites. In my opinion, it is still a good workaround to turn on the universal group membership feature in sites that do not have global catalog servers. If the branch office AD servers are not acting as global catalog server then we can enable the universal group membership for that AD site. Please follow the below mentioned steps to enable universal group membership caching for a site

1. Launch Active Directory Sites and Services from the Administrative Tools program group.

2. Expand the tree in the left-hand pane, and select the site you wish to adjust this setting for.

3. In the right-hand pane, right-click NTDS Site Settings and select Properties.

4. Ensure that the Enable Universal Group Membership Caching option is selected.

5. In the Refresh Cache From list, select the site where you want to cache group membership. If you leave this setting as the default, the cache will be refreshed from the closest site that is running the global catalog servers.

Enabling universal group membership caching

Note that only Domain Admins in the forest root domain and Enterprise Admins group members have sufficient privileges to adjust caching settings as outlined here.

After you enable universal group membership caching, the logon process is adjusted as follows: When a user logs on to the domain for the first time, the local domain controller, as usual, requests universal group membership information from the closest global catalog server. Following our example, this would be happening over a WAN link. Once the information is received from the global catalog server, it is cached on the domain controller servicing the logon request, and then from time to time it gets refreshed. From this point on, all subsequent logon requests generated by that particular user will be fulfilled by a local domain controller.

By default, universal group membership information is refreshed every eight hours. The local domain controller refreshes information from the global catalog server by submitting a universal group membership confirmation request.

Universal group membership caching is configured at the site level (sites are discussed in greater detail later in this book). To take advantage of this feature, you must ensure that all of the domain controllers in your remote site, or in other words, in a branch location where caching is configured, are running Windows Server 2003 or 2008.

To summarize, the benefits of using universal group membership caching are as follows:

■ Logon times improve due to authentication being fully contained on a local domain controller.

■ Selected sites can now be implemented without deploying global catalog servers, which potentially saves hardware expenses without compromising logon functionality.

■ Depending on how your domains are used, by reducing the total number of global catalog servers, you effectively reduce bandwidth requirements needed to ensure successful and timely GC data replication.

It is recommended that you use universal group membership caching whenever the remote location has a local domain controller but no locally maintained global catalog server, and only where all local domain controllers are running Windows Server 2003 or 2008.

So, that’s all in this blog. I will meet you soon with next stuff .Have a nice day !!!

Recommended content

Guys please don’t forget to like and share the post. You can also share the feedback on below windows techno email id.

If you have any questions feel free to contact us on admin@windowstechno.com also follow us on facebook@windowstechno to get updates about new blog posts.

How useful was this post?

Click on a star to rate it!

As you found this post useful...

Follow us on social media!

Was this article helpful?
YesNo

Vipan Kumar

He is an Active Directory Engineer. He has been working in IT industry for more than 10 years. He is dedicated and enthusiastic information technology expert who always ready to resolve any technical problem. If you guys need any further help on subject matters, feel free to contact us on admin@windowstechno.com Please subscribe our Facebook page as well website for latest article. https://www.facebook.com/windowstechno

Leave a Reply

Back to top button