?
Solved

Domain Controller reboot vs PCs access token

Posted on 2015-02-10
6
Medium Priority
?
164 Views
Last Modified: 2015-02-12
Hi there,

When the domain controller, a Windows Server 2008 is rebooted. I must also reboot the domain PCs. Or else, it seams that the computer access token is not good anymore and I'm having access problems, including the logon script not running when logging.

Can you please refresh my memory by explaining in simple words, whats happening?

Please use the proper terminology.

Thanks,
Rene
0
Comment
Question by:ReneGe
6 Comments
 
LVL 60

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 500 total points
ID: 40602168
Put simply, that's not normal. So there are no simple words to explain what is going on. In a properly working environment, Kerberos tickets will survive and if necessary simply be re-issued if an authentication fails for any reason. What you describe would indicate a deeper issue with Kerberos or someone has configured authentication (forcing NTLM) in an odd way where even re-auths aren't working.
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 500 total points
ID: 40602174
To avoide something like this you should never have only 1 DC in your environment. When a DC is rebooted your request will be granted from another domain controller. In Server 2012 (domain controllers) there is a new mechanism called caims.

Claims are new authorization data that are provided by Active Directory. When claims are provisioned, Windows Server 2012 KDCs can create service tickets with a principal’s claims. Access tokens that are created from these service tickets include claims that can be used for access control.

You can also find detail about this in the below link.
https://technet.microsoft.com/en-ca/library/hh831747.aspx

Will.
0
 
LVL 10

Author Comment

by:ReneGe
ID: 40602198
Thanks your two for your comments.

I think I should have mentionned that .

My current issue is with a Windows server 2008, and there are two Domain Controllers.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 97

Accepted Solution

by:
Lee W, MVP earned 500 total points
ID: 40602202
I disagree with Will's usage of the word "never" above.  There are instances where one is the best configuration given your environment and resources.  That said, I would start with the event logs on the workstations losing connection AND the server's event logs.  As Cliff said, this is not normal so a simple explanation is not possible.

(After the event logs... perhaps before... I'd verify your DNS settings are all good on both the clients and the server - and if you're not familiar with what "good" should be, post them and we can advise (though this doesn't sound like a DNS issue to me).
0
 
LVL 38

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
ID: 40602670
It is not *necessary* to reboot workstations after you reboot the DC even if you have single DC
Only new clients will get affected during DC reboot \ downtime, they may not logon
However existing clients continue to work without any problems
Only during DC offline time, if you trying to access any file server resources, that time you might get stuck because user will not get session ticket to access file servers

Once DC come online, if you run gpupdate /force on client, it should reapply GPOs or if you logoff \ logon again, scripts should apply

U might be having some GPO issues, have you checked if GPOs are applied in normal circumstances?
0
 
LVL 10

Author Closing Comment

by:ReneGe
ID: 40605553
Thanks to all of you.

With your answers, I found what I needed.

Thanks and cheers,
Rene
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question