Universal groups are stored on a Domain Controller that has been made a global catalog server. If a user is a member of a universal group, and a global catalog server is not available, the user will not be able to login. In some cases you may have only a few users at a site and do not wish to deploy a global catalog server due to the extra replication this will cause. This video looks at how you can use universal group membership caching to allow users to authenticate from a Domain Controller when a global catalog server is not available.
Authentication processWhen a user authenticates from a Domain Controller, a security token is created for that user that contains all the groups that the user is a member of. If the user is a member of universal group, then a global catalog server must be contacted in order to obtain this membership. If no global catalog server is available, and universal group membership caching is not enabled, the following occurs: The user will be able to login locally on their computer if their user has been cached on the computer. This may be the case if they were the last person to login to that computer. This will allow the user local access, but when they attempt to connect to a computer, for example a file share on a server, the computer will double check the user. This is done to ensure the user has not been locked out or disabled. If no global catalog server is available to the computer that the user is trying to connect to, the user will be denied access.
How Universal Group Membership Caching works
When a user authenticates from the domain controller, the domain controller will contact a global catalog server in order to determine the universal group membership for that user. This information, once obtained, is stored on the Domain Controller forever. To make sure the cache is keep up to date, the cache is updated from a global catalog server every 8 hours.
How to enable Universal Group Membership caching (UGMC)
UGMC can only be enabled at the site level, so once enabled, all Domain Controllers in that site that are not global catalog servers will start caching universal group membership. To enable UGMC, do the following:
1) Open Active Directory Sites and Services.
2) Open the site that you want to enable UGMC.
3) Open the properties for NTDS site Settings. These settings should not be confused with NTDS Settings that are found under the Domain Controller.
4) From the properties tick the option “Enable Universal Group Membership Caching.”
5) If you wish, you can also select the option “refresh cache from”. This will allow you to select which site you want the Domain Controller to refresh its cache from. If this is not configured, the Domain Controller will update its universal groups caching from the closest domain controller.
References
“MCTS 70-640 Configuring Windows Server 2008 Active Directory” pg 524-525
“Cache universal group memberships” http://technet.microsoft.com/en-us/library/cc775528(v=ws.10).aspx
Credits