• Contact
  • Homelab
Dimitris Tonias
  • Management
  • Monitoring
  • Cloud
  • Virtualization
  • Networking
  • Productivity
No Result
View All Result
  • Management
  • Monitoring
  • Cloud
  • Virtualization
  • Networking
  • Productivity
No Result
View All Result
Dimitris Tonias
No Result
View All Result

Configure Universal Group Membership Caching

Dimitris Tonias by Dimitris Tonias
March 29, 2018 - Updated on April 21, 2024
in Management
Reading Time: 3 mins read
A A
0
Share on FacebookShare on Twitter

When a user attempts to log in to an AD Domain, he then tries to communicate with a Domain Controller (DC) on the same AD Site, the Global Catalog (GC) Server reads the Universal Group Membership owned by the user and then authenticates him.

If no DC is found on the same Site, then it tries to communicate (via DNS) with another DC on the other Sites. This means that this communication is most likely via WAN, for example, for branch office communications.

If no DC is available, the user’s login will fail.

To avoid such cases, what we can do is the following. Either place a Global Catalog Server on the branch office so that users can authenticate or enable Universal Group Membership Caching (UGMC).

Universal Group Membership Caching was first introduced in Windows Server 2003 and continues to exist until today. Previously, links between different regions were very slow and unstable. Even GC’s replication traffic has had a negative effect on the communication between different regions. That, I think, was one of the reasons that UGMC came to Windows Server.

When we enable UGMC on a Site and a user attempts to log in, then the requesting DC takes care to contact a GC Server and obtain the Universal Group Membership of the user, caching them locally. So the next time the user needs to log in, the connection will be successful and faster as it will not need to contact a GC even if the WAN link is down.

UGMC can be enabled on a Site level, not on DC level. Also, to be able to connect a user through UGMC, each user should have previously authenticated successfully when both a Global Catalog Server was available and the UGMC was enabled. This way, the DC can cache the Universal Group Membership of the users. If a user has not logged in during this process, then they will not be able to log in because their cache data will not exist on the server.

The UGMC automatic update interval from a DC to a GC Server is 8 hours. If there are frequent changes to Universal Memberships, it is a good idea to place a GC Server instead of caching. Also, UGMC is used when there is no communication with a GC Server. Otherwise, DC will first try to communicate with a GC for user authentication.

Let’s see how you can enable UGMC on Windows Server (regardless of version).

Enable Universal Group Membership Caching

Open the Active Directory Sites and Services console and select the Site that you want to enable Universal Group Membership Caching. Here, right-click the NTDS Site Settings object, and then click Properties.

Configure Universal Group Membership Caching

In the window that appears, on the Site Settings tab, enable the Enable Universal Group Membership Caching option. Also, in the Refresh cache from field, choose which Site to refresh the cache automatically every 8 hours. If you select Default, then the refresh will be done automatically from the nearest site based on your infrastructure.

Configure Universal Group Membership Caching

Click Apply and OK to save your changes.

Finally, note that the Universal Group Membership Caching feature only works for user authentication. If, for example, you have an Exchange Server on the infrastructure, and the link to a GC Server is not feasible, then there will be problems and UGMC will not help it beyond authenticating users.

Tags: Active DirectoryAD SitesUGMCWindows Server 2016
ShareTweetPin
Previous Post

Error 0x800F0954 when installing .NET Framework 3.5

Next Post

Install pfSense router in Hyper-V 2016

Related Posts

Approve updates in WSUS 2016
Management

Approve updates in WSUS 2016

Configure Group Policy to deploy updates using WSUS 2016
Management

Configure Group Policy to deploy updates using WSUS 2016

Configure computer groups in WSUS 2016
Management

Configure computer groups in WSUS 2016

The initial configuration of WSUS 2016
Management

The initial configuration of WSUS 2016

Install WSUS in Windows Server 2016
Management

Install WSUS in Windows Server 2016

Error opening Report Viewer on WSUS 2016
Management

Error opening Report Viewer on WSUS 2016

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

No Result
View All Result
Zabbix server: More than 75% used in the trends cache
Monitoring

Zabbix server: More than 75% used in the trends cache

In Zabbix, "trends" are a type of data storage representing aggregated historical data. Zabbix monitors and collects a vast amount...

Read moreDetails
Check word count on Google Docs

Check word count on Google Docs

Zabbix server: More than 75% used in the configuration cache

Zabbix server: More than 75% used in the configuration cache

Approve updates in WSUS 2016

Approve updates in WSUS 2016

Configure Group Policy to deploy updates using WSUS 2016

Configure Group Policy to deploy updates using WSUS 2016

Configure computer groups in WSUS 2016

Configure computer groups in WSUS 2016

The initial configuration of WSUS 2016

The initial configuration of WSUS 2016

Get more stuff

Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.

we respect your privacy and take protecting it seriously

  • Contact
  • Homelab

© 2024 Dimitris Tonias

No Result
View All Result
  • About
  • Contact
  • Free Tools
  • Home
  • Homelab

© 2024 Dimitris Tonias

This website uses cookies. By continuing to use this website you are giving consent to cookies being used.