Universal Group Membership Caching Considerations
Universal Group Membership Caching can be enabled by an Active Directory site through the Active Directory Sites and Services console. Although the caching feature is enabled for the entire site (see Figure 3), only the authenticating domain controller caches the universal group membership. This means that when two domain controllers are configured in a site that has Universal Group Membership Caching enabled, only the server that authenticates the logon request actually caches it. If a user happens to log onto the same domain controller all the time, universal group membership would only be cached on one of the two servers.
Figure 3 Enabling universal group membership caching on the branch site.
A domain controller functioning as a global catalog server won't cache universal group membership. If you move the global catalog role from one domain controller to another, don't expect the domain controller that formerly acted as the global catalog server to have any cached universal group memberships.