When a user attempts to log in to an AD Domain, he then tries to communicate with a Domain Controller (DC) on the same AD Site, the Global Catalog (GC) Server reads the Universal Group Membership owned by the user and then authenticates him.
If no DC is found on the same Site, then it tries to communicate (via DNS) with another DC on the other Sites. This means that this communication is most likely via WAN, for example, for branch office communications.
If no DC is available, the user’s login will fail.
To avoid such cases, what we can do is the following. Either place a Global Catalog Server on the branch office so that users can authenticate or enable Universal Group Membership Caching (UGMC).
Universal Group Membership Caching was first introduced in Windows Server 2003 and continues to exist until today. Previously, links between different regions were very slow and unstable. Even GC’s replication traffic has had a negative effect on the communication between different regions. That, I think, was one of the reasons that UGMC came to Windows Server.
When we enable UGMC on a Site and a user attempts to log in, then the requesting DC takes care to contact a GC Server and obtain the Universal Group Membership of the user, caching them locally. So the next time the user needs to log in, the connection will be successful and faster as it will not need to contact a GC even if the WAN link is down.
UGMC can be enabled on a Site level, not on DC level. Also, to be able to connect a user through UGMC, each user should have previously authenticated successfully when both a Global Catalog Server was available and the UGMC was enabled. This way, the DC can cache the Universal Group Membership of the users. If a user has not logged in during this process, then they will not be able to log in because their cache data will not exist on the server.
The UGMC automatic update interval from a DC to a GC Server is 8 hours. If there are frequent changes to Universal Memberships, it is a good idea to place a GC Server instead of caching. Also, UGMC is used when there is no communication with a GC Server. Otherwise, DC will first try to communicate with a GC for user authentication.
Let’s see how you can enable UGMC on Windows Server (regardless of version).
Enable Universal Group Membership Caching
Open the Active Directory Sites and Services console and select the Site that you want to enable Universal Group Membership Caching. Here, right-click the NTDS Site Settings object, and then click Properties.
In the window that appears, on the Site Settings tab, enable the Enable Universal Group Membership Caching option. Also, in the Refresh cache from field, choose which Site to refresh the cache automatically every 8 hours. If you select Default, then the refresh will be done automatically from the nearest site based on your infrastructure.
Click Apply and OK to save your changes.
Finally, note that the Universal Group Membership Caching feature only works for user authentication. If, for example, you have an Exchange Server on the infrastructure, and the link to a GC Server is not feasible, then there will be problems and UGMC will not help it beyond authenticating users.
Leave a Reply