1
00:00:07,000 --> 00:00:09,710
Universal group membership.

2
00:00:10,120 --> 00:00:16,940
Makes it possible to sign into 80 days without contact contacting a global catalog.

3
00:00:17,080 --> 00:00:25,990
After this option is enabled and a user attempts to sign in for the first time universal group membership

4
00:00:26,290 --> 00:00:30,880
is cached on non global catalog domain controllers.

5
00:00:30,910 --> 00:00:38,170
After this information is obtained from a global catalog it is cached on the site's domain controller

6
00:00:38,470 --> 00:00:47,620
indefinitely but is updated periodically by default updates secure every eight hours enabling this feature

7
00:00:47,920 --> 00:00:55,900
results and foster sign in Times for users in remote sites without global catalogues because of the

8
00:00:56,040 --> 00:01:01,980
authenticate and domain controllers do not have to access a global catalog.

9
00:01:01,990 --> 00:01:10,450
Organizations may choose to use universal group membership caption for sites in which they do not want

10
00:01:10,450 --> 00:01:13,850
to deploy a global catalog server.

11
00:01:13,900 --> 00:01:22,330
I'd like to mention that replication has improved over the years and that the best practice recommendation

12
00:01:22,600 --> 00:01:28,630
for most scenarios is to have a global catalog on every domain controller.

13
00:01:28,750 --> 00:01:32,400
One historical concern was global catalogs.

14
00:01:32,500 --> 00:01:42,920
Was this schema update in Windows 2000 Server which would trigger global catalog re initialization.

15
00:01:42,930 --> 00:01:43,320
No.

16
00:01:43,450 --> 00:01:51,460
Universal group membership caption can be a security risk when an administrator relies on removing a

17
00:01:51,460 --> 00:01:59,290
server from a group universal group membership passion does not update with the application and the

18
00:01:59,290 --> 00:02:08,540
user has up to eight hours of access even more when the wide area network link becomes so fly.

19
00:02:08,560 --> 00:02:16,720
This cache and method is also somewhat unpredictable When users sign name the first time at a remote

20
00:02:16,720 --> 00:02:20,470
site and the global catalog is not available.

21
00:02:20,470 --> 00:02:25,390
The behavior is different from users who signed in previously.

22
00:02:25,780 --> 00:02:33,520
Therefore because of these issues it is not typically recommended to use universal group membership.

23
00:02:34,120 --> 00:02:41,350
So this will be an issue that you might need to address when you configure a tedious replication is

24
00:02:41,350 --> 00:02:49,540
whether to deploy a global catalog servers in each site global catalog servers are required when users

25
00:02:49,540 --> 00:02:51,340
sign into the domain.

26
00:02:51,340 --> 00:02:58,720
So deploying a global catalog server in each site optimizes the user experience.

27
00:02:58,720 --> 00:03:02,740
However if you deploy a global catalog server in inside.

28
00:03:02,920 --> 00:03:09,490
Additional replication traffic might a cure that could be an issue if the network connection between

29
00:03:09,790 --> 00:03:17,980
a tedious sites has limited bandwidth and there are other domains with a large number of objects in

30
00:03:17,980 --> 00:03:18,980
the forest.

31
00:03:19,000 --> 00:03:28,300
In these scenarios you can deploy domain controllers that Iran and Windows Server 2008 8 or newer and

32
00:03:28,300 --> 00:03:36,730
then enable universal group membership caption for this for this site a domain controller in a site

33
00:03:36,970 --> 00:03:42,400
that has enabled universal group membership cache in stores.

34
00:03:42,400 --> 00:03:49,570
The universal group information locally after a user attempts to sign in for the first time the Domain

35
00:03:49,570 --> 00:03:57,220
Controller obtains the user as universal group membership information from a global catalogue server

36
00:03:57,580 --> 00:03:58,860
in another site.

37
00:03:58,900 --> 00:04:05,780
It then caches the information indefinitely and refreshes it periodically.

38
00:04:05,920 --> 00:04:12,340
The next time the user tries to sign in the Domain Controller obtains the universal group membership

39
00:04:12,340 --> 00:04:18,950
information from its local cache without contacting a global catalogue server.

40
00:04:18,970 --> 00:04:25,570
As I've said by default the universal group membership information in each domain controllers cache

41
00:04:25,960 --> 00:04:34,720
refreshes every eight hours to refresh the cache domain controllers Santa universal group membership

42
00:04:35,020 --> 00:04:43,960
confirmation request to designated global catalogue server you can configure universal group membership

43
00:04:44,030 --> 00:04:50,080
caption from the anti DNS site settings node sadness.