- Use Azure Bastion as a jump host for RDP and SSH - Tue, Apr 18 2023
- Azure Virtual Desktop: Getting started - Fri, Apr 14 2023
- Understanding Azure service accounts - Fri, Mar 31 2023
You are an enterprise administrator for an organization that consists of a multi-domain, multi-site Active Directory forest. The forest functional level is Windows Server 2008 R2. A total of 500 users are associated with the HQ Site. A total 300 users are associated with Branch 2 Site. A total of 50 users are associated with Branch 1 Site. The site topology for the environment is shown in the following exhibit:
You receive reports of Branch 1 Site users who are unable to logon to their domain.
Which of the following actions should you take in order to rectify this problem?
A. Install a second domain controller at Branch 1 Site.
B. Enable Universal Group Membership Caching at Branch 1 Site.
C. Enable Universal Group Membership Caching at the HQ Site.
D. Expand the partial attribute set of the Active Directory schema.
The Correct Answer and Explanation
The correct answer is B. By enabling Universal Group Membership Caching (UGMC) on the domain controller in the Branch 1 Site, we can limit the possibility of failed domain logons in that site. Remember that when a user logs onto a domain in a multi-domain environment, a Global Catalog server must be contacted in order to enumerate the universal group(s) to which the user belongs. If a connection to a GC can’t be established, then the user logon fails.
For smaller (less than 100 user) branch offices that contain one or more domain controllers but no local Global Catalog, one solution to this universal group enumeration problem is to enable UGMC on the local domain controller. In this situation the Branch 1 Site domain controller makes an initial connection to a Global Catalog server elsewhere in the environment and caches each user’s universal group memberships locally for future reuse.
A forest administrator can enable UGMC on a domain controller by modifying the NTDS Site Settings properties in the Active Directory Sites and Services console. Notice the Refresh cache from option in the below figure; we need to keep in mind that users’ universal group membership may feasibly change. Thus, the local domain controller will periodically refresh its knowledge of universal group memberships from its specified Global Catalog source.
Enabling Universal Group Membership Caching for an AD site
Analysis
You will find that several Microsoft certification exam questions involve exhibits. These graphics can be logical or physical topology diagrams like the one we used in this item. Microsoft may also give you screenshots from Windows Server 2008 R2 systems—command-line output, configuration dialogs, and so forth.
The bottom line is that we need to spend a few moments analyzing the exhibit before we attempt to answer the question.
When I look at the exhibit without first reading the item stem, I can already make some conclusions about what I see:
- Connectivity to Branch 2 Site looks to be okay, but connectivity to Branch 1 Site is super-slow. That is a red flag of some kind for sure.
- The HQ Site and Branch 2 Site each have two domain controllers, but Branch 1 Site has only one DC. Again, this leads us to the idea that this item focuses on Branch 1 Site.
- Branch 1 Site is the only site that does not include a Global Catalog. Hmmm…
Next let’s proceed to the item stem and actual question. The stated problem is that users cannot logon from, you guessed it, Branch 1 Site. We are finally asked what is the best action to take, given these four options, to solve the problem.
Let us quickly scan the four answer choices to see if anything obvious jumps out at us. We see that choices B and C deal with UGMC—what does that tell us? Well, if we are sharp in our Global Catalog knowledge, then we should be pretty interested in these. Let’s put them on hold for now.
Of course, you might think, the best solution to this problem is to make the DC in Branch 1 Site a Global Catalog. However, we don’t have that as an option in this item. This speaks to a truism with Microsoft certification exams:
There is the “real world” answer, and the “Microsoft” answer. When you are testing, you must provide the “Microsoft” answer.
Choice A suggests that we install a second domain controller at Branch 1 Site. This seems to be a plausible choice at first blush because we may think that simple load balancing is the answer. However, the item stem tells us that Branch 1 Site consists of a paltry 50 users. Thus, we can rule out the need for a second domain controller outright.
Choice D references the partial attribute set. If you are not crystal clear on what the partial attribute set is, then you might waste time pondering this choice, when in point of fact we can discount it immediately. The problem here isn’t that we are dissatisfied with the schema attributes that are contained in a domain’s domain directory partition; thus, the reference to PAS is a red herring that is meant to distract you from the correct answer.
Let’s now return to choices B and C. We should understand by now that the most likely reason why users in Domain 1 Site cannot log on is that their local domain controller cannot reliably reach a Global Catalog server. Therefore, we want to enable UGMC not in the HQ Site, which would do us no good over that 256 Kbps slow link, but in the Branch 1 Site.
Conclusion
I hope that you found working through this sample practice question to be helpful to your certification studies. If you remain unclear on the “hows and whys” of the Global Catalog, then see the companion piece that I mentioned at the beginning of this blog post. You are also free to leave your questions, comments, and concerns in the comments portion of this post.
