Hope this post finds you in good health and spirit. This time we will be discussing Universal Group Membership Caching (UGMC). Recently I had done couple of training on Windows and AD for various company and found this topic kind of unknown and confusing for few participants. So in this blog lets clear this topic.
In event of user logon, his group membership must be validated in order to generate security token for him. There is a special type of group called “universal group” which can contain user and group accounts from any domain in the forest. Since Global Catalog Servers (GCS) contains partial attribute set (PAS) of every object in entire forest, it retrieves universal group membership and so it is mandatory for logon.
It’s recommended to have at least one GCS per site but in multidomain forests where remote sites have slow wide area network (WAN) connection it’s not possible to place GCS due to replication issues. In this scenario a user can potentially be unable to log on to the domain if a GCS is not available.
Windows Server 2003 introduced a technique for caching universal group membership. This feature is called Universal Group Membership Caching (UGMC). UGMC is a site wide setting and with domain controllers running Windows Server 2003 or later, universal group membership caching can be enabled. Once UGMC is enabled, when user logon for first time the domain controller contacts a global catalog server and retrieves universal group memberships for the user. On subsequent logon requests by the same user, the domain controller uses cached universal group memberships and does not have to contact a global catalog server. The cache is maintained indefinitely and updated periodically to ensure that it is current. By default, domain controllers check the consistency of the cache every eight hours.
How to enable UGMC in a site
- Open Active Directory Sites and Services: On the Start menu, point to Administrative Tools, and then click Active Directory Sites and Services.
- In the console tree, expand Sites, and then click the site in which you want to enable Universal Group Membership Caching.
- In the details pane, right-click the NTDS Site Settings object, and then click Properties.
- Under Universal Group Membership Caching, select Enable Universal Group Membership Caching.
- In the Refresh cache from list, click the site that you want the domain controller to contact when the Universal Group membership cache must be updated, and then click OK.
So, that’s all in this blog. Hope it is helpful and we will meet again in some other blog. Till then have a nice day and take care of yourself.