When to use and not use universal group membership caching

by Mitch Tulloch [Published on 20 Dec. 2005 / Last Updated on 20 Dec. 2005]

This tip explains when to use and not use universal group membership caching.

Windows Server 2003 includes a new feature called universal group membership caching (UGMC) to locally cache a user's membership in universal groups on the domain controller authenticating the user. This can be useful in branch office scenarios where you don't want to deploy a global catalog (GC) because of the extra WAN traffic that the GC needs to replicate with other domain controllers in the domain. The cached membership for UGMC is then refreshed every 8 hours to keep it up to date.

UGMC is enabled on a per-site basis in AD as follows: Open Active Directory Sites and Services, expand the Sites node and select the site where you want to enable UGMC, right-click NTDS Site Settings, select Properties, and select the Enable Universal Group Membership Caching check box. Then under Refresh cache from click a different site from which the selected site will refresh its UG membership cache.

If UGMC can speed logons at remote sites then it sounds like a good idea. But when is it better to simply deploy a GC at the remote office instead?

1. When you have lots of WAN bandwidth available

2. When the membership of universal groups frequently changes

3. When you have Exchange Server deployed at the remote site

4. When the branch office and headquarters both belong to the same AD site.

If any of these is true, it's best if you simply make one of the domain controllers at your remote office a global catalog server.

See Also

The Author — Mitch Tulloch

Mitch Tulloch is a well-known expert on Windows Server administration and cloud computing technologies. He has published over a thousand articles on information technology topics and has written, contributed to or been series editor for over 50 books.

Featured Links