Re: Universal Group Membership Caching

---

• From: "Dean Wells \(MVP\)" <dwells@xxxxxxxxxxxxxxxxxxxxx>
• Date: Thu, 25 Oct 2007 17:56:33 -0400

---

Sadly not ... as you've likely now seen from my earlier post (ain't
timing a $$$$$ :0)

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l


"Austin Osuide" <austin@xxxxxxxxxxx> wrote in message
news:4f8Ui.7264$zg.3794@xxxxxxxxxxxxxxxxxxxxxxxx

And, Native mode would be: forestFunctionality
0=(DS_BEHAVIOR_WIN2000) as opposed to what I stated earlier (DFL1 - no
such thing apparently!)

Regards,

Austin
"Austin Osuide" <austin@xxxxxxxxxxx> wrote in message
news:e88Ui.7263$zg.4590@xxxxxxxxxxxxxxxxxxxxxxxx

Just tried it and I did login EVEN THOUGH THE DC SAID I WOULDNT!
D**n! you live and learn. I won't forget that!

Dean, I also thought DFL1 refered to Native mode. I now know that
"The domain controller functionality represents the highest possible
functional level for this domain controller, not at the function
level that the domain controller is operating."

Apologies Jorge! You/It got me there.


"Dean Wells (MVP)" <dwells@xxxxxxxxxxxxxxxxxxxxx> wrote in message
news:usNWH20FIHA.5360@xxxxxxxxxxxxxxxxxxxxxxx

FWIW - I'm with Jorge on this one; a GC is not required.

Regarding the KDC: it knows of the number of domains within a forest
since all KDC are DCs and all DCs maintain a config. NC which, in
turn, maintains crossRef objects representing the entire partition
structure of the forest, it's fair to say that the KDC is indirectly
(or certainly able to be) aware of that. Out of interest, why do
you mention domain func. level 1?

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l


"Austin Osuide" <austin@xxxxxxxxxxx> wrote in message
news:ehbgTj0FIHA.3400@xxxxxxxxxxxxxxxxxxxxxxx

I'm afraid Jorge you got it wrong there.
Once you flip the DFL switch to 1, the KDC when authenticating a
client really doesn't have visibility of the number of domains etc.
that's why it looks for a GC to create the users Security Token. If
it doesn't find one, it barfs. A failsafe measure.
That's why to cover that base, the first DC in a single domain
forest is a GC!
Also, docs here: http://support.microsoft.com/kb/216970

Regards,

Austin

"Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx> wrote in message
news:%230TTsS0FIHA.4228@xxxxxxxxxxxxxxxxxxxxxxx

Hi

A GC will still need to be contacted for logon to succeed (Native
mode assumed).

This isn't totally true.
Actually this is only true for Forests with multiple domains, but
there are other situations where it doesn't apply, for example: in
a single domain environment it doesn't apply.

--

===================================
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services
===================================

"Austin Osuide" <austin@xxxxxxxxxxx> wrote in message
news:eWFCbeyFIHA.4712@xxxxxxxxxxxxxxxxxxxxxxx

Hi RC,
Universal Group Membership Caching is a function of the DCs in
the site you've enabled it on. If you have no DCs in the site, it
will have no effect if the users logon to DCs in other sites that
do not have UGMC enabled and have no local GCs. A GC will still
need to be contacted for logon to succeed (Native mode assumed).

Regards,

Austin

"RC" <RichChristy@xxxxxxxxx> wrote in message
news:1193330500.425707.138770@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

If you create a site, assign the appropriate subnets, but it
doesn't
have a DC associated with the site and enable UGMC (universal
group
membership caching) does UGMC still effectively do what it is
designed
to do?

I would assume not unless you have a DC in that site right?

Thanks in advance.

.

---

• Follow-Ups:
  • Re: Universal Group Membership Caching
    • From: Austin Osuide

• References:
  • Universal Group Membership Caching
    • From: RC
  • Re: Universal Group Membership Caching
    • From: Austin Osuide
  • Re: Universal Group Membership Caching
    • From: Jorge Silva
  • Re: Universal Group Membership Caching
    • From: Austin Osuide
  • Re: Universal Group Membership Caching
    • From: Dean Wells \(MVP\)
  • Re: Universal Group Membership Caching
    • From: Austin Osuide
  • Re: Universal Group Membership Caching
    • From: Austin Osuide

• Prev by Date: Re: Universal Group Membership Caching
• Next by Date: RE: Provide feedback to DC promotion/replacement
• Previous by thread: Re: Universal Group Membership Caching
• Next by thread: Re: Universal Group Membership Caching
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Universal Group Membership Caching ... Dean Wells [MVP / Directory Services] ... since all KDC are DCs and all DCs maintain a config. ... (microsoft.public.windows.server.active_directory) Re: Local SID v. Domain SID. ... This is not true for the relationship between any 2 workstations regardless of whether they have the same SID, are members of the same domain, trusted domains or if they exist in the same or even different workgroups. ... Dean Wells [MVP / Directory Services] ... (microsoft.public.windows.server.active_directory) Re: C# - need to query based on objectGUID ? ... Dean Wells [MVP / Directory Services] ... directory with it as a search filter. ... (microsoft.public.windows.server.active_directory) Re: AD Site Consolidation ... Dean Wells [MVP / Directory Services] ... SiteA and SiteB are connected by a high speed WAN link. ... (microsoft.public.windows.server.active_directory) Re: Redirecting the users and computers containers in Windows Serv ... they will be created in whatever OU or container you ... Dean Wells [MVP / Directory Services] ... (microsoft.public.windows.server.active_directory)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.active_directory  > 2007-10