RMS Active Directory Cache

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Each RMS server in the root cluster and licensing-only cluster has a local Active Directory cache that contains the results of Active Directory global catalog group membership queries. In addition to the cache that is on each server of the cluster, there is a shared cache for each cluster, which stored in the directory services database. The purpose of these caches is to reduce the number of queries that are submitted to the global catalog, and to reduce the response time for licensing requests.

When a user requests a use license, the responding server must evaluate whether or not that user has been granted the necessary rights in the publishing license. In the simplest case, the user who requests a license is explicitly named in the publishing license. In many scenarios, however, the author grants rights to a group, rather than to individual users.

If the publishing license does not explicitly name the requesting user, but instead grants rights to a group, the server must evaluate the user's group memberships to determine whether or not the user is a member of a group that has been granted rights. To do this, the server submits an LDAP query against the global catalog.

RMS servers cache all group membership query results in both the local Active Directory cache and in the cluster directory services database. Servers can then obtain group membership information from these caches, which reduces the number of queries that they must submit to the global catalog. By default, the closest server is queried; however, you can configure the GC registry key to specify the global catalog servers to be queried. For more information about this setting, see "Modifying Connection Pool Registry Settings" in "RMS: Operations " in this documentation collection.

To evaluate a user's group memberships, the server first checks its cache to see if there is group membership information for the user already stored there. If not, the server then checks the directory services database for the cluster. If the group membership information is not stored in this database, the server then queries the global catalog.

For users and groups, the following Active Directory attributes are cached:

  • mail

  • ProxyAddresses (SMTP e-mail addresses only)

  • objectSID

  • sidHistory

  • memberOf (GUIDs of groups of which the user or group is a member)

The entries in the local Active Directory cache are time-stamped. Registry settings specify the validity period for entries that are in the cache, as well as the total number of entries that can be cached. These settings can have an effect on the performance of your servers. For more information, see "Modifying Active Directory Cache Settings" in "RMS: Operations " in this document collection.