How do Windows domain clients behave if the domain controller is offline?

active-directory domain-controller domain

Solution 1:

Quite a few things will happen with no DC available:

  • If the domain controller is the only DNS server, the first complaint you will get is that the internet is broken, because the clients have no DNS.

  • Since DC's usually also run DHCP, computers won't be able to connect to the network at all. Computers that are already connected will keep working for awhile.

  • Files shares they are already connected to will work fine for awhile (a few hours likely), until their session expires. When the file server goes to validate their credentials, it won't be able to talk to the DC, and won't let anyone connect anymore.

  • Anything else that relies on active directory authentication (like IIS sites, or VPN servers, etc) won't let people login. Depending on the setup, it might immediately kick people off, or might keep existing sessions and just not allow new ones.

  • For the computers themselves, people who have used the computer recently will still be able to login. People who haven't used the machine before, or used it a long time ago won't have any cached passwords, so they won't be able to login until the connection to the DC is restored.

  • There are long term consequences to being disconnected from the DC - eventually nobody will be able to login with a domain account, because the cached passwords will have all expired. If you are unable to reconnect to the DC, and don't have any local accounts enabled, you can end up in a situation where you need to use utilities like NTPasswd to enable the local administrator account.

The best practice for domain controllers is to have at least two if them. So much in a windows network relies on active directory that you need the redundancy. For a smaller organization, it can share roles with file servers, though avoid having a domain controller share a server with things like sharepoint and exchange (it makes restoring and upgrading them very tricky to do properly)

With two domain controllers, if one dies, you can just reinstall windows server, set it up as a new domain controller in an existing domain, and off you go. No downtime at all. With a single domain controller restoring can be tricky. And while you're restoring, you have people upset that they can't do anything.

Solution 2:

Depends on the duration. Once you remove a service from the network things become unreliable but may not break. If you just want to reboot a DC then authentication/authorization should not really be interrupted. People will log in with cached credentials, boxes that are already communicating will keep doing so with their existing Kerberos tickets etc.

So people can login to their PCs with cached accounts. They can't change passwords etc.

For a short (hours but not days) while they should all be able to access file shares not on the DC as well but eventually that will stop working.

Things should recover automatically once the DC is back up.

There is a big caveat here though. If you are using your DC for DNS as soon as it goes offline most stuff will stop working because clients won't be able to find their servers. Even things not dependent on AD rely on name resolution.

The best thing to do is build a 2nd DC with backup DNS on it so clients can fail over. The AD part will happen automatically, the DNS part you will need to configure on the clients as a 2ndary DNS server either on the client or via DHCP etc.

Related

What can cause ALL services on a server to go down, yet still responding to ping? and how to figure out
What do you call the main component of a computer system?
Best way to add a DNS wildcard record for a domain
Can I setup an MX record for a particular user email address?
How is the /altbootbank/ partition used in ESXi?
Why is Google rejecting mails forwarded from my Postfix server?
Configuration of Server root email - Change Address and Name on outgoing email
Windows 2008 R2 Standard server - how to disable RC4
Virtualized CPU cores vs. threads
Server migration: most efficient way
Warn user if they try to logoff
Where does Ubuntu store partition UUIDs on disk?