Solved

Domain Controller reboot vs PCs access token

Posted on 2015-02-10
6
143 Views
Last Modified: 2015-02-12
Hi there,

When the domain controller, a Windows Server 2008 is rebooted. I must also reboot the domain PCs. Or else, it seams that the computer access token is not good anymore and I'm having access problems, including the logon script not running when logging.

Can you please refresh my memory by explaining in simple words, whats happening?

Please use the proper terminology.

Thanks,
Rene
0
Comment
Question by:ReneGe
6 Comments
 
LVL 56

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 125 total points
ID: 40602168
Put simply, that's not normal. So there are no simple words to explain what is going on. In a properly working environment, Kerberos tickets will survive and if necessary simply be re-issued if an authentication fails for any reason. What you describe would indicate a deeper issue with Kerberos or someone has configured authentication (forcing NTLM) in an odd way where even re-auths aren't working.
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 125 total points
ID: 40602174
To avoide something like this you should never have only 1 DC in your environment. When a DC is rebooted your request will be granted from another domain controller. In Server 2012 (domain controllers) there is a new mechanism called caims.

Claims are new authorization data that are provided by Active Directory. When claims are provisioned, Windows Server 2012 KDCs can create service tickets with a principal’s claims. Access tokens that are created from these service tickets include claims that can be used for access control.

You can also find detail about this in the below link.
https://technet.microsoft.com/en-ca/library/hh831747.aspx

Will.
0
 
LVL 10

Author Comment

by:ReneGe
ID: 40602198
Thanks your two for your comments.

I think I should have mentionned that .

My current issue is with a Windows server 2008, and there are two Domain Controllers.
0
 
LVL 95

Accepted Solution

by:
Lee W, MVP earned 125 total points
ID: 40602202
I disagree with Will's usage of the word "never" above.  There are instances where one is the best configuration given your environment and resources.  That said, I would start with the event logs on the workstations losing connection AND the server's event logs.  As Cliff said, this is not normal so a simple explanation is not possible.

(After the event logs... perhaps before... I'd verify your DNS settings are all good on both the clients and the server - and if you're not familiar with what "good" should be, post them and we can advise (though this doesn't sound like a DNS issue to me).
0
 
LVL 35

Assisted Solution

by:Mahesh
Mahesh earned 125 total points
ID: 40602670
It is not *necessary* to reboot workstations after you reboot the DC even if you have single DC
Only new clients will get affected during DC reboot \ downtime, they may not logon
However existing clients continue to work without any problems
Only during DC offline time, if you trying to access any file server resources, that time you might get stuck because user will not get session ticket to access file servers

Once DC come online, if you run gpupdate /force on client, it should reapply GPOs or if you logoff \ logon again, scripts should apply

U might be having some GPO issues, have you checked if GPOs are applied in normal circumstances?
0
 
LVL 10

Author Closing Comment

by:ReneGe
ID: 40605553
Thanks to all of you.

With your answers, I found what I needed.

Thanks and cheers,
Rene
0

Join & Write a Comment

OfficeMate Freezes on login or does not load after login credentials are input.
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now