Struggling to Demonstrate Universal Group Membership Caching

Discussion in 'Windows Server 2003 / 2008 / 2012 / 2016' started by Stuzzle, Nov 14, 2014.

  1. Stuzzle

    Stuzzle Byte Poster

    150
    7
    34
    Hi guys,

    Running some last minute labbing before 70-640 next week and I am having a hard time demonstrating the Need for universal group membership caching.

    So I have setup contoso.com, with 2 DC's spanning 2 separate sites.
    I have setup a universal group called Contoso Universe, and created a bunch of users of which I have added a small portion to the universal group.

    So to try and prove the concept of "logons need to contact a GC to verify universal group membership before authenticating" I am disabling the network link between my 2 DC's (having ensured all users and groups have replicated first).

    Whenever I log on to a client machine for the first time in the 2nd site, with the sites link disabled, whether I use a member of Contoso Universe or just a standard user It Always Allows Me To Log On :mad

    Is there something obvious I am missing, or am I completely misunderstanding the need for UGMC???
     
    Certifications: A+, MCSA: Windows 7, 70-640, 70-642
    WIP: 70-646
  2. Sparky
    Highly Decorated Member Award 500 Likes Award

    Sparky Zettabyte Poster Moderator

    10,718
    543
    364
    Configure Universal Group Membership Caching in Active Directory

    Other way around is not? No need for a GC if the group membership is cached?
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) MS-900 AZ-900 Security+ Network+ A+
    WIP: Microsoft Certs
  3. Stuzzle

    Stuzzle Byte Poster

    150
    7
    34
    Yes but before enabling UGMC I just wanted to see what happens when I try to log on Without a GC, ie to see if any error messages are generated when logging in to my site that doesn't have a local GC (thus why I terminate the link back to the main site that hosts the GC). Instead it just allows me to log on every time despite there been no GC?? :blink
     
    Certifications: A+, MCSA: Windows 7, 70-640, 70-642
    WIP: 70-646
  4. Sparky
    Highly Decorated Member Award 500 Likes Award

    Sparky Zettabyte Poster Moderator

    10,718
    543
    364
    What Is the Global Catalog?: Active Directory

    Nothing to stop you logging into the domain even if a GC in a remote domain is not available.
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) MS-900 AZ-900 Security+ Network+ A+
    WIP: Microsoft Certs
    Stuzzle likes this.
  5. Stuzzle

    Stuzzle Byte Poster

    150
    7
    34
    *Facepalm* So I need a multi-domain forest before GC's and UGMC becomes an issue.

    Thanks Sparky!
     
    Certifications: A+, MCSA: Windows 7, 70-640, 70-642
    WIP: 70-646
  6. Stuzzle

    Stuzzle Byte Poster

    150
    7
    34
    Wahooo! That was it - multiple domains needed.

    1 forest, 2 domains each in their own site
    Severing the link between the 2nd site and the primary site (holding the GC) and trying to create new users in the 2nd site gave a popup error that Windows could not verify the user name is unique as the GC is not available and it would create the user account but they could not log on until the username is verified as been unique.

    Attempting to log the users on when the site link was down just provided a "User name or password is incorrect" consistently until the site link back to the GC came back online.

    Now I know why UGMC would be needed :)
     
    Certifications: A+, MCSA: Windows 7, 70-640, 70-642
    WIP: 70-646
    Sparky likes this.
  7. Sparky
    Highly Decorated Member Award 500 Likes Award

    Sparky Zettabyte Poster Moderator

    10,718
    543
    364
    Glad its sorted mate. Always worth fully understanding what you are doing as it *will* come in handy when you are doing this for real. :biggrin
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) MS-900 AZ-900 Security+ Network+ A+
    WIP: Microsoft Certs
    jk2447 likes this.

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.