?
Solved

Domain Controller reboot vs PCs access token

Posted on 2015-02-10
6
Medium Priority
?
158 Views
Last Modified: 2015-02-12
Hi there,

When the domain controller, a Windows Server 2008 is rebooted. I must also reboot the domain PCs. Or else, it seams that the computer access token is not good anymore and I'm having access problems, including the logon script not running when logging.

Can you please refresh my memory by explaining in simple words, whats happening?

Please use the proper terminology.

Thanks,
Rene
0
Comment
Question by:ReneGe
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 59

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 500 total points
ID: 40602168
Put simply, that's not normal. So there are no simple words to explain what is going on. In a properly working environment, Kerberos tickets will survive and if necessary simply be re-issued if an authentication fails for any reason. What you describe would indicate a deeper issue with Kerberos or someone has configured authentication (forcing NTLM) in an odd way where even re-auths aren't working.
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 500 total points
ID: 40602174
To avoide something like this you should never have only 1 DC in your environment. When a DC is rebooted your request will be granted from another domain controller. In Server 2012 (domain controllers) there is a new mechanism called caims.

Claims are new authorization data that are provided by Active Directory. When claims are provisioned, Windows Server 2012 KDCs can create service tickets with a principal’s claims. Access tokens that are created from these service tickets include claims that can be used for access control.

You can also find detail about this in the below link.
https://technet.microsoft.com/en-ca/library/hh831747.aspx

Will.
0
 
LVL 10

Author Comment

by:ReneGe
ID: 40602198
Thanks your two for your comments.

I think I should have mentionned that .

My current issue is with a Windows server 2008, and there are two Domain Controllers.
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 
LVL 96

Accepted Solution

by:
Lee W, MVP earned 500 total points
ID: 40602202
I disagree with Will's usage of the word "never" above.  There are instances where one is the best configuration given your environment and resources.  That said, I would start with the event logs on the workstations losing connection AND the server's event logs.  As Cliff said, this is not normal so a simple explanation is not possible.

(After the event logs... perhaps before... I'd verify your DNS settings are all good on both the clients and the server - and if you're not familiar with what "good" should be, post them and we can advise (though this doesn't sound like a DNS issue to me).
0
 
LVL 37

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
ID: 40602670
It is not *necessary* to reboot workstations after you reboot the DC even if you have single DC
Only new clients will get affected during DC reboot \ downtime, they may not logon
However existing clients continue to work without any problems
Only during DC offline time, if you trying to access any file server resources, that time you might get stuck because user will not get session ticket to access file servers

Once DC come online, if you run gpupdate /force on client, it should reapply GPOs or if you logoff \ logon again, scripts should apply

U might be having some GPO issues, have you checked if GPOs are applied in normal circumstances?
0
 
LVL 10

Author Closing Comment

by:ReneGe
ID: 40605553
Thanks to all of you.

With your answers, I found what I needed.

Thanks and cheers,
Rene
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses
Course of the Month11 days, 9 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question