Re: GC *and* Universal Group Caching
From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 08/21/04
- Next message: Joe Richards [MVP]: "Re: Have AD authenticate from LDAP/Kerberos server"
- Previous message: Alex: "Locating Domain Controller"
- In reply to: Dean Wells [MVP]: "Re: GC *and* Universal Group Caching"
- Messages sorted by: [ date ] [ thread ]
Date: Sat, 21 Aug 2004 11:29:58 -0400
Great Post Dean. You da man!
:o)
-- Joe Richards Microsoft MVP Windows Server Directory Services www.joeware.net Dean Wells [MVP] wrote: > JB Fields wrote: > >>Thanks. Appreciate the extra info. So, I take it that if I >>authenticate to a DC that is a GC and caching is turned on pointed at >>another domain, the DC will get Universal group membership from it's >>cache as its own behavior has been altered to do so. It will not >>look for a GC, unless a new person signs on who has not been >>previously cached? >> >>>The preference would be if you have a GC at a site, don't use >>>caching at the same site. No point unless you lose the GC but you do >>>open yourself up for cache delays (i.e. adding a user to a group and >>>it not being reflected in the cache for a while or alternatively >>>removing someone and it not being reflected). >>> >>>The realistic use of caching is for the case where you can't have a >>>GC onsite AND you are unable to disable the GC logon requirement >>>(ignoregcfailures) because you use Universal groups for assigning >>>perms and not just for DLs. >>> >>> joe >>> >>>-- >>>Joe Richards Microsoft MVP Windows Server Directory Services >>>www.joeware.net >>> >>> >>> >>>JB Fields wrote: >>> >>>>Any benefit in using both a GC and Universal Group Caching at a >>>>remote site other than fault tollerance? Which will the domain >>>>controller use for finding uinversal group membership at user login >>>>if both are available? >>>> >>>>J > > > Correct, the caching is NOT a failover ... it's on or off. > > In addition, Uni. Group caching is misrepresented by its name in that it > also caches Global Groups which are already known to the site local DCs > ... any Global Group membership changes, even those membership changes > made locally at the caching site, will not take effect until the next > _successful_ cache update. > > The cache update process is per DC in the caching site (no bridgehead / > a single DC in the site = no duplicate effort / 2 DCs = 2 independant > cache update processes = 2 x bandwidth requirement) and defaults to an 8 > hour cycle but respects site-link time windows. Finally, the update > process is (by default) only capable of working with a maximum of 500 > actively cached users ... any users greater than the 500 max. (that are > still actively having their cache updated) are simply not included in > the update cycle. No membership change for those users will become > effective until their cache expires (by default 7 days) whereupon a GC > is once again required for authentication or they fit within the 500 > user ceiling or the ceiling is increased to deal with them. > > Dean >
- Next message: Joe Richards [MVP]: "Re: Have AD authenticate from LDAP/Kerberos server"
- Previous message: Alex: "Locating Domain Controller"
- In reply to: Dean Wells [MVP]: "Re: GC *and* Universal Group Caching"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
