Group Membership Cache

Infra_SS4
Infra_SS4 used Ask the Experts™
on
The group membership cache refresh task has reached the maximum number of users for the local domain controller.

Maximum number of users: 500

Clients athenticating of this affected domain controller which is not a global catalog will not push down specific security group permissions which is affecting user access to files/folders on our file server.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Group Membership Evaluation task will help to find out which SID can be cleared to push the group membership or for Problems Due to Access Token Limitation

(http://go.microsoft.com/fwlink/?LinkId=146571)
Also try to make the DC as Universal Group Membership Caching  and check if it sloves the problem.

http://technet.microsoft.com/en-us/library/cc775528(v=ws.10).aspx
Infra_SS4Superintendent ICT Technology Infrastructure

Author

Commented:
We have two DC's in this child domain. One is a GC with two roles ie. RID & PDC emulator. The DC with problem is not a GC but has the infrastructure master role. UG membership caching is already enabled on the GC. The issue suggested earlier most likely is not what we're experiencing. Our security groups are very granular and not that huge or large.

One thing I wanted to ask is whether or not making this DC a GC would solve our problem. With that we would have two DC's with GC enabled in just one site. would this suit?
Check the health of the DC by using DCdiag command and post the result.

dcdiag /s: DCName

By standard place all the fsmo roles on the first DC in the child domain and place the GC on the secondary DC. Hence transfer the Infrastructure role to the First DC and make the second one as GC.Wait for some time to get replicate between both the DC and remove GC from the first DC.
http://www.petri.co.il/planning_fsmo_roles_in_ad.htm
Infra_SS4Superintendent ICT Technology Infrastructure

Author

Commented:
OK. We will proceed with this changes and advise results as soon as we can. Thanks
Infra_SS4Superintendent ICT Technology Infrastructure

Author

Commented:
Please find attached the dcdiag results.
You missed to post the result here.Are you done with the standard recommendation and if it help to fix the issue.
Infra_SS4Superintendent ICT Technology Infrastructure

Author

Commented:
No. What we have done is increase the group caching from 500 as per the event logs to 1000 in AD. We are testing to see if this will resolve the issue. If this doesn't work then the next step is to make DC01 a global catalog server also. Allow replication and test. Which means we will have DC01 with infrastructure master role & GC as well as DC02 with PDC emulator, RID master roles and GC in the same site.
Superintendent ICT Technology Infrastructure
Commented:
The suggested solutions did not help much. What we did is transfer the Infrastructure master role to the working DC and rebuilt the DC that was at fault. All is working OK now. This can be closed
Infra_SS4Superintendent ICT Technology Infrastructure

Author

Commented:
Steps we took.
1. Increased caching to 1000 - Did not resolve issue.
2. DC & AD indicated healthy status including replication between DC's.

Final option: Transfered role master to working a DC and rebuilt the problematic DC. Synched it and allowed replication for a day at least and checked group caching and permission using DC as the validating server and all permissions and access rights with group policies applied successfully. Rebuilding the DC resolved the problem for us.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial