Thursday, 10 September 2015
Microsoft: Active Directory Universal Group Membership Caching
In multidomain forests where remote sites do not have a global catalog server, the need to contact a global catalog server over a potentially slow WAN connection can be problematic. On domain controllers that are running Windows Server 2003 or later, the Universal Group Membership Caching feature is available by default (does not require a specific functional level or domain mode), although it must be enabled on a per-site basis.
When enabled, this feature allows a domain controller to cache global group SIDs and universal group SIDs that it retrieves from a global catalog server so that future logons do not require contacting a global catalog server. This storage is referred to as “caching,” but the memberships are actually stored in a non-volatile AD DS value. The memberships that are written to this value are not lost as a result of a restart or power outage. For the purposes of this discussion, the term “cache” refers to this value. Group membership is cached for user accounts and computer accounts.
Caching group memberships in branch site locations has the following potential benefits:
* Faster logon times because authenticating domain controllers no longer need to contact a global catalog server to obtain universal group membership.
* Higher availability because logon is still possible if the WAN link to the site of the global catalog server is unavailable.
* No need to upgrade the hardware of existing domain controllers to handle the extra system requirements necessary for hosting the global catalog.
* Minimized network bandwidth usage because a branch site domain controller does not have to replicate all of the objects located in the global catalog.
<< Enabling Universal Group Membership Caching >>
Universal Group Membership Caching can be enabled for a site by using the Active Directory Sites and Services MMC snap-in to edit the properties of the NTDS Site Settings object (CN=NTDS Site Settings,CN=TargetSiteName,CN=Sites,CN=Configuration,CN=ForestRootDomain). In Active Directory Sites and Services, if you click a site object, the NTDS Site Settings object for the site is visible in the details pane. Right-click the NTDS Site Settings object and then click Properties. In the NTDS Site Settings Properties dialog box, click Enable Universal Group Membership Caching.
* Note:
The options attribute of the NTDS Site Settings object, which controls this feature, has a default value of 0. When only the Universal Group Membership Caching option is enabled, the attribute value is 32. However, this attribute is a bit field, so its full functionality is derived from computing a bitwise AND of all of the bits that are set.
When the feature is enabled for a site, domain controllers in the site cache both universal group membership and global group membership for first-time logons and keep the cache updated thereafter. The feature allows specifying the site from which to retrieve group membership. In the NTDS Site Settings Properties dialog box, you can use the Refresh cache from list to specify the site to use. The msDS-Preferred-GC-Site attribute stores the distinguished name of the specified site and controls this setting.
If no site is specified, the closest-site mechanism uses the cost setting on the site link to determine which site has the least-cost connection to contact a global catalog server.
If the user has not logged on to the domain previously and a global catalog server is not available, the user can log on to only the local computer.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment