Universal groups are a powerful feature of Active Directory in Windows 2000 or later as they can contain almost anything, including domain users, computers, global groups, and other universal groups from both the local domain and any other domain in the forest, and you can nest them to any degree as well. Universal groups have their downside however, especially on networks running Windows 2000. This is because by default only global catalog (GC) servers contain a list of all universal groups in the forest. So, if you’re using universal groups and you try to log on to a domain, there needs to be a GC server available to enumerate your universal group membership before you can be authenticated to the domain.
This requirement that a GC server be available when a user logs on particularly become an issue if you have a branch office connected by a slow WAN link to headquarters and you’ve configured the remote network as a separate site to have more control over replication traffic between the two locations. By configuring universal group caching on the domain controllers in your remote site, you ensure that a user’s universal group membership information is available when he tries to log on and there is no GC available at the remote site. Enabling universal group caching is easy. Just open Active Directory Sites and Services, connect to a domain controller in the remote site, expand the Sites container, expand the name of the site, right-click on NTDS Site Settings, select Properties, and select the checkbox Enable Universal Group Membership Caching. Then repeat this procedure for all other domain controllers in the remote site.
