Tag Archives: global catalog

How to enable universal group membership caching (UGMC)?

In one of my previous posts I explain the how to setup a branch network properly. In there I mentioned how we can utilize the bandwidth between corporate office and the branch office. One of the method we can use for that is universal group membership caching. If the branch office AD servers are not acting as global catalog servers, UGMC allows to store data about membership of the universal groups in cache. This cache is set to update in every eight hours by default. As result of UGMC, branch office domain controllers can process the log on or resources requests without going to a GC server via WAN link.

UGMC have to enable per site basis. In order to get this function work, each user must have logged on when GC server available and UGMC feature is enabled.

Let’s see how we can enable this feature.

1)    Log in to the domain controller as member of domain admin group or enterprise admin group.
2)    Then go to server manager > tools > active directory sites and services


3)    Then in mmc, select the Site you need UGMC enabled


4)    In right hand panel right click on “NTDS site settings” and click properties


5)    In properties window click to enable “Enable Universal Group Membership Caching


6)    Under the refresh cache from drop down you can select which site it should use to get the cache.


7)    Once this is done click ok to apply the change

Now it enables UGMC in the given site. If you have any questions about the steps feel free to contact me on rebeladm@live.com

Active Directory Topology

In an infrastructure when you place domain controllers and related services it is important to identify exactly where it should logically locate. It will directly make impact on performances and security.
There are mainly four types of servers and roles when consider about AD topology design.

1)    Forest root domain controller
2)    Regional domain controller
3)    Global catalog server
4)    Operation master role

Forest root domain controller

This is usually used in multi domain network setup. This is the domain controller which will use to create trust paths between domains. In a network some time connections are made from unreliable connections from domain to domain, in such scenario it’s recommended to place forest root domain controller in the location or create shortcut trust.

Regional domain controller

As the name explain these domain controllers are placed in hub locations. This reduce the bandwidth usage between hub locations and main office, improve reliability, reduce support cost etc. writable regional domain controllers can place in hub location only if physical security guarantee. Otherwise it’s recommended to keep them as read only domain controllers (RODC).

Global Catalog Server

Global catalog server holds all the objects in forest. It keeps full copy of the objects in its own domain and read-only copy of objects for all other domains in same forest. The placement of global catalog server is crucial for multi forest environment. In such environment global catalog server should place at following locations,

1)    A location with more the 100 users
2)    A place that hosting applications which required global catalog server.
3)    A place with unreliable connection
4)    A place with Roaming users
5)    A place with slow log on performance

If it’s not one of above you can place domain controller with universal group membership caching.

Operation master role

In an active directory some of the data only can be written by operation master role servers. As we know there is 5 roles (FSMO). 3 of them remain in domain level and those are call as flexible single master operations (FSMO) roles.
1.    Primary Domain Controller (PDC) Emulator – This role responsible for password updates
2.    Relative ID (RID) Operation Master – this role maintains the global RID pool and allocates local RID to other DC
3.    Infrastructure Operation Master – It is responsible for maintain list of security principles from other domains that have membership of local domain

Forest level roles

1.    Schema Operations Master – This is responsible for schema changes
2.    Domain naming operation master – This responsible for changes in directory partition such as adding and removing domains from the forest

When you place operation master roles need to consider following,
•    PDC and RID responsibilities should place in sites with reliable network connectivity
•    Operation master role automatically will assign to first domain controller, but if need we can change it
•    PDC should place nearest the largest number of users.
•    Infrastructure master role should not place in same server as global catalog server. This role is important only in multi-domain forest.

If you have any question about post feel free to contact me on rebeladm@live.com