Improve the security and architecture of an AD infrastructure
In Windows Server 2003, Microsoft introduces a new feature called Global Catalog (GC)-less logon (also known as universal group caching). What’s this feature and how does it benefit the security and architecture of an Active Directory (AD) infrastructure?
Universal group caching lets Windows 2003 domain controllers (DCs) cache a user’s universal group memberships in the msDS-Cached-Membership attribute of an AD user account object. You can use the Microsoft Management Console (MMC) Sites and Services snap-in to define and configure site objects and their properties. To enable universal group caching, open the snap-in, select a site object, then open the site object’s NTDS Site Settings Properties dialog box, as Figure 1 shows, and select the Enable Universal Group Membership Caching check box.
This new feature benefits both the security and architecture of an AD infrastructure in branch office AD deployments. It lets administrators take advantage of universal groups for easier forestwide resource access control management. At the same time, it eliminates the need to deploy GC servers to every branch office site, which reduces the volume of data that you must replicate between AD instances.
The following list summarizes potential benefits for caching universal group memberships in branch office locations:
- Faster logon times since authenticating domain controllers no longer need to access a global catalog to obtain universal group membership information.
- No need to upgrade hardware of existing domain controllers to handle the extra system requirements necessary for hosting a global catalog.
- Minimized network bandwidth usage since a domain controller will not have to handle replication for all of the objects located in the forest.