Solved

Domain Controller reboot vs PCs access token

Posted on 2015-02-10
6
145 Views
Last Modified: 2015-02-12
Hi there,

When the domain controller, a Windows Server 2008 is rebooted. I must also reboot the domain PCs. Or else, it seams that the computer access token is not good anymore and I'm having access problems, including the logon script not running when logging.

Can you please refresh my memory by explaining in simple words, whats happening?

Please use the proper terminology.

Thanks,
Rene
0
Comment
Question by:ReneGe
6 Comments
 
LVL 57

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 125 total points
ID: 40602168
Put simply, that's not normal. So there are no simple words to explain what is going on. In a properly working environment, Kerberos tickets will survive and if necessary simply be re-issued if an authentication fails for any reason. What you describe would indicate a deeper issue with Kerberos or someone has configured authentication (forcing NTLM) in an odd way where even re-auths aren't working.
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 125 total points
ID: 40602174
To avoide something like this you should never have only 1 DC in your environment. When a DC is rebooted your request will be granted from another domain controller. In Server 2012 (domain controllers) there is a new mechanism called caims.

Claims are new authorization data that are provided by Active Directory. When claims are provisioned, Windows Server 2012 KDCs can create service tickets with a principal’s claims. Access tokens that are created from these service tickets include claims that can be used for access control.

You can also find detail about this in the below link.
https://technet.microsoft.com/en-ca/library/hh831747.aspx

Will.
0
 
LVL 10

Author Comment

by:ReneGe
ID: 40602198
Thanks your two for your comments.

I think I should have mentionned that .

My current issue is with a Windows server 2008, and there are two Domain Controllers.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 95

Accepted Solution

by:
Lee W, MVP earned 125 total points
ID: 40602202
I disagree with Will's usage of the word "never" above.  There are instances where one is the best configuration given your environment and resources.  That said, I would start with the event logs on the workstations losing connection AND the server's event logs.  As Cliff said, this is not normal so a simple explanation is not possible.

(After the event logs... perhaps before... I'd verify your DNS settings are all good on both the clients and the server - and if you're not familiar with what "good" should be, post them and we can advise (though this doesn't sound like a DNS issue to me).
0
 
LVL 36

Assisted Solution

by:Mahesh
Mahesh earned 125 total points
ID: 40602670
It is not *necessary* to reboot workstations after you reboot the DC even if you have single DC
Only new clients will get affected during DC reboot \ downtime, they may not logon
However existing clients continue to work without any problems
Only during DC offline time, if you trying to access any file server resources, that time you might get stuck because user will not get session ticket to access file servers

Once DC come online, if you run gpupdate /force on client, it should reapply GPOs or if you logoff \ logon again, scripts should apply

U might be having some GPO issues, have you checked if GPOs are applied in normal circumstances?
0
 
LVL 10

Author Closing Comment

by:ReneGe
ID: 40605553
Thanks to all of you.

With your answers, I found what I needed.

Thanks and cheers,
Rene
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Synchronize a new Active Directory domain with an existing Office 365 tenant
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question