O.K. So I get asked this question a lot. "I've got one forest with a single domain. Do I still need to use a universal group?"
The answer is 'you don't technically have to'. Here is the deal. As we all know Universal groups are the only groups that replicate their membership across the forest. Let's say you have a forest 'foo.com' with a domain 'domain.foo.com'. Now you RMS protect a message and send it to a group. How does RMS deal with this?
Well RMS is going to grab the first 5 GCs that respond to the request, and cycle through them for EUL validation. So let's say you have a Security group called SecGroup1@domain.foo.com that mail is being sent to that email@example.com is a member of, and rms grabs these 5 GCs.
What do you think will happen when RMS queries each of these GCs for the membership of SecGroup1?
GC1.domain.foo.com - Good
GC2.domain.foo.com - Good
GC3.domain.foo.com - Good
GC4.domain.foo.com - Good
GC.foo.com - Fail
So your user has a 1 in 5 chance of getting an EUL, when a message is sent to a security group in domain.foo.com.
What are your options?
Well you've really got 3. The first is leave it alone, and take your chances at the wheel. OK. Maybe that's not the best option. The next option is to make that group a universal group. The membership will get replicated to GC.foo.com, and you now have 5 in 5 chance of getting an EUL. The last option, which not many people know about is that you can tell RMS which GCs it should query. You would set the following key:
HKLM/Software/Microsoft/DRMS/1.0/ <--Change the 1.0 to 2.0 for WS2008 ADRMS
VALUE: Comma delimited list of GC FQDNs (i.e. GC1.domain.foo.com,GC2.domain.foo.com,GC3.domain.foo.com,GC4.domain.foo.com)
Now you have a 4 in 4 chance of getting an EUL using a security group, or another domain local group.
Now, if you have multiple domains in your forest, you need to use universal groups...period.
I need a nap.
Update: Nap music added to this post. 😀