Recipe 7.9 Enabling Universal Group Membership Caching

This recipe requires the Windows Server 2003 forest functional level.

7.9.1 Problem

You want to enable universal group membership caching so that a global catalog server is not needed during user logins.

7.9.2 Solution Using a graphical user interface
  1. Open the Active Directory Sites and Services snap-in.

  2. In the left pane, browse to the site you want to enable group caching for and click on it.

  3. In the right pane, double-click on the NTDS Site Settings object.

  4. Under Universal Group Membership Caching, check the box beside Enable Universal Group Caching.

  5. If you want to force the cache refresh from a particular site, select a site or else leave the default set to <Default>.

  6. Click OK. Using a command-line interface

You can use a combination of the dsquery site and dsget site commands to find if a site has group caching enabled.

> dsquery site -name <SiteName> | dsget site -dn -cachegroups -prefGCSite

You can use ldifde to enable group caching. Create a file called enable_univ_cache.ldf with the following contents, but change <SiteName> to the name of the site you want to enable, and <ForestRootDN> with the distinguished name of the forest root domain:

dn: cn=NTDS Site Settings,cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>
changetype: modify
replace: options
options: 32

Then use the following command to import the change:

> ldifde -i -f enable_univ_cache.ldf Using VBScript
' This code enables universal group caching for the specified site.
strSiteName = "<SiteName>"   ' e.g. Default-First-Site-Name
' ------ END CONFIGURATION ---------

set objRootDSE = GetObject("LDAP://RootDSE")
set objSite = GetObject("LDAP://cn=NTDS Site Settings,cn=" & strSiteName & _
              ",cn=sites," & objRootDSE.Get("configurationNamingContext") )
objSite.Put "options", 32
WScript.Echo "Successfully enabled universal group caching for " & _

7.9.3 Discussion

When a client logs on to a Windows 2000 Active Directory domain controller, the domain controller must contact a global catalog server (if it is not one itself) in order to fully authenticate the client. This is necessary because of universal groups.

Universal groups can be created and used anywhere in a forest. Objects located anywhere in a forest can be added as members of a universal group. Since a universal group could be created in a domain other than where the user object resides, it is necessary to store universal group membership in the global catalog. That way, during logon, domain controllers can query a global catalog to determine all universal groups a user is a member of. Microsoft's primary reason for making this a requirement during logon is that a user could be part of a universal group that has been explicitly denied access to certain resources. If universal groups aren't evaluated, a user could gain access to resources that were previously restricted.

To remove this limitation in Windows Server 2003 Active Directory, universal group caching was introduced. Universal group caching can be enabled on a per site basis and allows domain controllers to cache universal group information locally, therefore, removing the need to query the global catalog during client logon.

You can enable universal group caching manually by enabling the 10000 bit (32 in decimal) on options attribute of the NTDS Site Settings object. The CLI and VBScript solutions blindly wrote 32 to that attribute, which is not ideal. See Recipe 4.12 for more information on properly setting a bit-flag attribute. The Sites and Services snap-in hides this logic and just requires you to check a box. Another setting can also be configured that relates to universal group caching. By default, domain controllers will use the site topology to determine what is the optimal site to query a global catalog server for universal group information. You can override this feature and explicitly set which site domain controllers should use by selecting the site in the Sites and Services snap-in or by setting the msDS-Preferred-GC-Site attribute on the NTDS Site Settings object to the DN of the target site.

    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List