Universal Group Caching in a multi-domain forest with slow WANs

[Redfox1]

I'd like to know if I should enable Universal Group Caching given the following scenario:

- Single Forest (no other external trusts)
- Parent domain has 4 child domains. (Full transitive trusts)

ourcompany.com Site0 - 2 DCs
child1.ourcompany.com Site1 - 1 DC
child2.ourcompany.com Site2 - 1 DC
child3.ourcompany.com Site3 - 1 DC
child4.ourcompany.com Site4 - 1 DC

Site5 (Disaster recovery site)
Has ONE DC from each child domain
Has ONE DC from parent domain holding the schema & domain naming master roles.

*** EVERY domain controller is a also a Global Catalog. ***

Current WAN speeds are approx 1.5MbpsUp/512kbps down - in the process of upgrading to 10Mbps Up/Down (this is an Internet connection speed - we use a VPN to connect each site to Site0 + Site 5). Upgrade will take another 4-10 monhts for all sites (2 out of 5 sites are done as of July 2011).

Question:
If a user (ourcompany.com\USERA) takes his or her laptop to Site2, is this user going to be contacting ANY GC at that site or is it looking for a GC that matches it's domain name?

I'm assuming from reading about this that ANY GC at that site will do, but this isn't clearly spelled out or explained.

If however universal group caching is NOT turned on, his or her pc will attempt to connect to a GC/DC at Site0/Site5 to resolve Universal group memberships, correct?

David

 

[Redfox1]

Question #2:
Also, What would happen if one of these WAN connections is not working? Would the Universal Group Cache answer the group memberships until the cache expires?

 

[cdtech9198]

See like that if you have Global Catalog servers enabled you do not need it.

Applies To: Windows Server 2008, Windows Server 2008 R2

In a multidomain forest, when a user logs on to a domain, a global catalog server must be contacted to determine the universal group memberships of the user. A universal group can contain users from other domains, and it can be applied to access control lists (ACLs) on objects in all domains in the forest. Therefore, universal group memberships must be ascertained at domain logon so that the user has appropriate access in the domain and in other domains during the logon session. Only global catalog servers store the memberships of all universal groups in the forest.

If a global catalog server is not available in the site when a user logs on to a domain, the domain controller must contact a global catalog server in another site.

In multidomain forests where remote sites do not have a global catalog server, the need to contact a global catalog server over a potentially slow wide are network (WAN) connection can be problematic and a user can potentially be unable to log on to the domain if a global catalog server is not available. You can enable Universal Group Membership Caching on domain controllers that are running Windows Server 2008 so that when the domain controller contacts a global catalog server for the user’s initial domain logon, the domain controller retrieves universal group memberships for the user. On subsequent logon requests by the same user, the domain controller uses cached universal group memberships and does not have to contact a global catalog server.