Inter-domain membership in Universal Group not updating

Universal Group caching isn't enabled.

We moved about 50 accounts last night from one OU to another in Domain (A),
and then two hours later the same ~50 accounts were moved into several
different OU's, again within domain (A). The universal group, which is in
domain (B), didn't lose the group memberships, but on non-GC DC's in the
domain (B), it has the little "grey head" icons, and it lists the previous
OU that the user accounts were placed in, yesterday.

Even accounting for the maximum latency based on our topology, this would
well exceed the time necessary to replicate this change to the GC's.

This behavior seems like Universal Group caching is on, but it isn't, I
checked it. We ended up rebooting the FSMO (all 3) role holder on domain
(B), and it still had the problem; then magically 10 minutes later it
updated.

It's between 20-24 hours since these accounts were in the OU that is listed.

I don't even know if the problem is on the DC of domain B per se, because it
isn't a GC and will simply pick from any GC in the forest. The GC had
correct information, the non-GC didn't.

Should I use repadmin and start looking at USN's and vectors?

don't everyone answer at once...


<-> wrote in message news:e%23v4tlxsJHA.4968@TK2MSFTNGP02.phx.gbl...
> Universal Group caching isn't enabled.
>
> We moved about 50 accounts last night from one OU to another in Domain
> (A), and then two hours later the same ~50 accounts were moved into
> several different OU's, again within domain (A). The universal group,
> which is in domain (B), didn't lose the group memberships, but on non-GC
> DC's in the domain (B), it has the little "grey head" icons, and it lists
> the previous OU that the user accounts were placed in, yesterday.
>
> Even accounting for the maximum latency based on our topology, this would
> well exceed the time necessary to replicate this change to the GC's.
>
> This behavior seems like Universal Group caching is on, but it isn't, I
> checked it. We ended up rebooting the FSMO (all 3) role holder on domain
> (B), and it still had the problem; then magically 10 minutes later it
> updated.
>
> It's between 20-24 hours since these accounts were in the OU that is
> listed.
>
> I don't even know if the problem is on the DC of domain B per se, because
> it isn't a GC and will simply pick from any GC in the forest. The GC had
> correct information, the non-GC didn't.
>
> Should I use repadmin and start looking at USN's and vectors?
>

Is your Infrastructure Operations Master in domain B a GC?

hth
Marcin

<-> wrote in message news:e%23v4tlxsJHA.4968@TK2MSFTNGP02.phx.gbl...
> Universal Group caching isn't enabled.
>
> We moved about 50 accounts last night from one OU to another in Domain
> (A), and then two hours later the same ~50 accounts were moved into
> several different OU's, again within domain (A). The universal group,
> which is in domain (B), didn't lose the group memberships, but on non-GC
> DC's in the domain (B), it has the little "grey head" icons, and it lists
> the previous OU that the user accounts were placed in, yesterday.
>
> Even accounting for the maximum latency based on our topology, this would
> well exceed the time necessary to replicate this change to the GC's.
>
> This behavior seems like Universal Group caching is on, but it isn't, I
> checked it. We ended up rebooting the FSMO (all 3) role holder on domain
> (B), and it still had the problem; then magically 10 minutes later it
> updated.
>
> It's between 20-24 hours since these accounts were in the OU that is
> listed.
>
> I don't even know if the problem is on the DC of domain B per se, because
> it isn't a GC and will simply pick from any GC in the forest. The GC had
> correct information, the non-GC didn't.
>
> Should I use repadmin and start looking at USN's and vectors?
>