Reducing Logon Traffic from Remote Sites
When an administrator is trying to reduce the amount of Active Directory–related communications that occur between two locations, he or she typically will implement sites. The Main and Branch sites that I created while writing this article illustrate that situation. By configuring sites, the administrator reduces the amount of Active Directory replication.
In Windows 2000 domains, administrators also typically placed a domain controller, DNS server, and global catalog server (usually all configured on the same computer) in each Active Directory site. Such an implementation allowed users to be fully authenticated by the local servers in their site. However, since a global catalog server maintains a partial replica of every object in the forest, the additional replication in multi-domain forests could be significant. Since domain controllers really only used the global catalog server to verify universal group membership during the logon process, the Universal Group Membership Caching feature was added to the Windows Server 2003 Active Directory feature set to help make logons more efficient in multi-domain environments. Caching universal group membership enables the domain controller to authenticate a logon request without having to query a global catalog server.
When Universal Group Membership Caching is enabled, the authenticating domain controller contacts the global catalog server only the first time the user logs on. After that, the universal group membership information is cached locally on the domain controller that authenticated the logon request. The local domain controller's universal group membership cache is updated every eight hours by default through communication with the global catalog server. This keeps the cached universal group membership information updated for the user.