Question regarding universal group caching

Instead of enabling a global catalog in a site, you can use universal group caching. Now lets say I am on a DC that is in a site with Universal Group Caching enabled. A user tries to log on to that DC. Does that user who is logging on actually have to be in a Universal Group somewhere for it to be cached on the DC in its site? Or will the user be cached regardless of its group membership?

Find more posts tagged with

Comments

sprkymrk

It will be cached only if he is a member of a Universal Group. The reason is because Universal Group Caching is only intended to speed the logon process when a Global Catalog would otherwise be needed in a multiple domain forest to authenticate an individual's group memberships. If the user in question is not a member of an universal groups he/she can be authenticated at the domain (rather than forest) level and a Global Catalog need not be used, any DC will do.

Some good reading/explanation can be found here:

http://technet2.microsoft.com/WindowsServer/en/library/24311c41-d2a1-4e72-a54f-150483fa885a1033.mspx?mfr=true

Here are some highlights:

Universal Group Membership Caching: In a forest that has more than one domain, in sites that have domain users but no global catalog server, Universal Group Membership Caching can be used to enable caching of logon credentials so that the global catalog does not have to be contacted for subsequent user logons. This feature eliminates the need to retrieve universal group memberships across a WAN link from a global catalog server in a different site.

The underlines are mine for emphasis.

The global catalog stores the membership (the member attribute) of only universal groups. The membership of other groups can be ascertained at the domain level.

Because a universal group can have members from domains other than the domain where the group object is stored and can be used to provide access to resources in any domain, only a global catalog server is guaranteed to have all universal group memberships that are required for authentication.

Hence the need/usefulness of UGMC...

Universal Group Membership Caching is a new feature in Windows Server 2003 that eliminates the need for a domain controller in a multidomain forest to contact a global catalog server during the logon process in domains where universal groups are available. Caching group membership reduces WAN traffic, which helps in sites where updating the cached group membership of security principals, including user and computer accounts, generates less traffic than replicating the global catalog to the site.

Hope that helps.

sprkymrk

icroyal wrote:

Does that user who is logging on actually have to be in a Universal Group somewhere for it to be cached on the DC in its site?

Sorry. I guess I could have just said "yes".

royal

That does help. So here's my next question.

Lets say you have users in a global group. These users are in a universal group. The global group is replicated amongst the global catalog servers. The users in the global group are not recplicated. Will authentication for those users who are in that global group which is nested in a universal group still be able to be authenticated?

Also, another question. Why would you place users in a universal group for authentication? Why not just add those users to the DC which is in their site so they can just logon normally using the normal client logs on and uses kerberos with the DC in its site?

Thanks a bunch for your help.

royal

I found this article and read most of it. It really helps.

http://technet2.microsoft.com/WindowsServer/en/library/440e44ab-ea05-4bd8-a68c-12cf8fb1af501033.mspx?mfr=true