Active Roles Services stores the Managed Unit membership rule definition in a attribute in the Active Roles configuration database. Every Active Roles Service in a replication group reads those definitions and caches them.
Then, when an Active Roles client connects to an Active Roles service, there are two different scenarios:
1. Client requests for Active Directory object information (or Active Directory object change) which might be a member of certain Managed Units, and thus be affected by Access Templates and/or Policy Objects linked to this Managed Unit
2. Client requests for Managed Unit membership by expanding Managed Unit directly in the Active Roles Console or Active Roles Web Interface
In the first case, Active Roles identifies which Managed Units the target object is a member of. The Active Roles Service does NOT load membership for all Managed Units, but rather loads target object attributes which are required to evaluate all Managed Unit conditions. After the Active Roles Service identifies which Managed Units the target object is a member of, it caches this information in memory. This cache is called the "reverse MU membership cache", as it has one record per object, with all Managed Units that it is a member of. Records are removed from this cache when any target object attribute is updated, or Managed Unit membership rule is updated, or when the Active Roles Service need to free some memory.
In the second case, the Service sends all membership rules as requests to Active Directory, processes those to match include rules with exclude rules, and then returns the Managed Unit membership to client. No special in-memory caching is used in this case.
Because any Access Template/Policy Object linked to a Managed Unit affects any member of this Managed Unit, Active Roles Services in a replication group process Managed Unit membership rules equally. In other words, Active Roles Services in a certain location cannot predict which Active Directory objects would never be accessed through that Service, and therefore can't skip processing of any Managed Units.