Until last week I was under the impression that Exchange always uses local GCs (Global Catalog servers) and only uses out-of-site directory servers (GCs or DCs) if no local ones are available. I fo...
Updated Jul 01, 2019
Version 2.0
Blog Post
Christian,
I asked this question to our AD folks and Steve Linehan had this to say:
"tokengroupsGlobalandUniversal is a constructed attribute so it is really not replicated anywhere but built on the fly. You can determine this by looking at the system-flags value which in this case is 0x08000014 and that last value tells you it is constructed. Now on to why you have to contact a DC in the security principals domain. That is the only way to build a full token of the user and not only must the DC be contacted but if that DC is not a GC it will contact a GC to build the transitive groups and the full token. This really comes down to how the authentication and security subsystems were architected in the OS so it is not as simple as making that attribute part of the Global Catalog."
I asked this question to our AD folks and Steve Linehan had this to say:
"tokengroupsGlobalandUniversal is a constructed attribute so it is really not replicated anywhere but built on the fly. You can determine this by looking at the system-flags value which in this case is 0x08000014 and that last value tells you it is constructed. Now on to why you have to contact a DC in the security principals domain. That is the only way to build a full token of the user and not only must the DC be contacted but if that DC is not a GC it will contact a GC to build the transitive groups and the full token. This really comes down to how the authentication and security subsystems were architected in the OS so it is not as simple as making that attribute part of the Global Catalog."