Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Domain Controller reboot vs PCs access token

Posted on 2015-02-10
6
Medium Priority
?
162 Views
Last Modified: 2015-02-12
Hi there,

When the domain controller, a Windows Server 2008 is rebooted. I must also reboot the domain PCs. Or else, it seams that the computer access token is not good anymore and I'm having access problems, including the logon script not running when logging.

Can you please refresh my memory by explaining in simple words, whats happening?

Please use the proper terminology.

Thanks,
Rene
0
Comment
Question by:ReneGe
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 59

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 500 total points
ID: 40602168
Put simply, that's not normal. So there are no simple words to explain what is going on. In a properly working environment, Kerberos tickets will survive and if necessary simply be re-issued if an authentication fails for any reason. What you describe would indicate a deeper issue with Kerberos or someone has configured authentication (forcing NTLM) in an odd way where even re-auths aren't working.
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 500 total points
ID: 40602174
To avoide something like this you should never have only 1 DC in your environment. When a DC is rebooted your request will be granted from another domain controller. In Server 2012 (domain controllers) there is a new mechanism called caims.

Claims are new authorization data that are provided by Active Directory. When claims are provisioned, Windows Server 2012 KDCs can create service tickets with a principal’s claims. Access tokens that are created from these service tickets include claims that can be used for access control.

You can also find detail about this in the below link.
https://technet.microsoft.com/en-ca/library/hh831747.aspx

Will.
0
 
LVL 10

Author Comment

by:ReneGe
ID: 40602198
Thanks your two for your comments.

I think I should have mentionned that .

My current issue is with a Windows server 2008, and there are two Domain Controllers.
0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 
LVL 96

Accepted Solution

by:
Lee W, MVP earned 500 total points
ID: 40602202
I disagree with Will's usage of the word "never" above.  There are instances where one is the best configuration given your environment and resources.  That said, I would start with the event logs on the workstations losing connection AND the server's event logs.  As Cliff said, this is not normal so a simple explanation is not possible.

(After the event logs... perhaps before... I'd verify your DNS settings are all good on both the clients and the server - and if you're not familiar with what "good" should be, post them and we can advise (though this doesn't sound like a DNS issue to me).
0
 
LVL 38

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
ID: 40602670
It is not *necessary* to reboot workstations after you reboot the DC even if you have single DC
Only new clients will get affected during DC reboot \ downtime, they may not logon
However existing clients continue to work without any problems
Only during DC offline time, if you trying to access any file server resources, that time you might get stuck because user will not get session ticket to access file servers

Once DC come online, if you run gpupdate /force on client, it should reapply GPOs or if you logoff \ logon again, scripts should apply

U might be having some GPO issues, have you checked if GPOs are applied in normal circumstances?
0
 
LVL 10

Author Closing Comment

by:ReneGe
ID: 40605553
Thanks to all of you.

With your answers, I found what I needed.

Thanks and cheers,
Rene
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam® is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question