Solved

I just added a Backup Domain Controller to my environment, How would I Test it?

Posted on 2010-09-23
11
434 Views
Last Modified: 2012-05-10
Hello Everyone;

I just promoted a member server to be backup domain controller and it seems to be working fine. I can see all the users and groups in the ADU&C on the new Backup DC

I also made it a backup DNS server and added the server IP Address to DHCP so that all users can see the secondary DNS address when they do IPconfig.

My question is:

- How could I test the backup domain controller is actually working?
- How can I test my DNS ?
- Any additional configurations I need to check ?

Thanks
0
Comment
Question by:atigris
  • 4
  • 3
  • 2
  • +2
11 Comments
 
LVL 7

Accepted Solution

by:
JohnThePro earned 100 total points
ID: 33747045
For the most part, if you have access to the PDC (and assuming youve seperated roles successfully) one quick way to test your DCs is to disable the NIC on your PDC. Then the BDC will be forced to take over. Reboot your workstation during this time, and see if you can sign-in after the reboot. This will let you know whether or not its functioning correctly.
0
 
LVL 3

Assisted Solution

by:joesinc
joesinc earned 200 total points
ID: 33747200

When you run "Active Directory User and Computer" (ACU&C) on any computer (a workstation or a server), it loads up and then consults the Active Diretory to find out the list of Domain Controllers in the domain and then connects to one of the DCs.
Just because you run ADU&C on a given server doesn't necessarily mean that you are connecting to that specific DC to read the AD information. It you have two DCs then 50% of the time you might get the other DC. (Advanced level: If you have DCs in multiple locations, and correctly configured Subnets in the Sites and Services tool, then you will get DCs local to the machine you are running ADU&C from, but I don't think that is relevant here).
You can force the DC. If you load up ADU&C, you can right click on the top entry in the tree listing on the left hand column (the top entry should be "Active Directory Users and Computers") and choose "Connect to Domain Controller". You will see a dialog box which details the DC you are currently connected to, and the opportunity to connect to a different DC. The mere presence of both of your DCs in that list is the first good sign that your DC is working OK.

Next, you can load up Active Directory Site and Services (ADS&S). Same principle applies here, the tool will query the AD for available DCs and connect to a random one of them. In ADS&S you should see a site called "Default-First-Site-Name" (unless you've renamed it, which is a completely valid thing to have done and I would recommend that you do to make everything look nice - there shouldn't be any negative consequences of changing this name in here).
Browse into the site and you should see "Servers" and under there your two server names, and under each server name "NTDS Settings". NTDS Settings detail the direction that replication will take place between your DCs. You should see at least one <automatically generated> entry for each server's NTDS settings. Right click on the <automatically generated> and choose "Replicate Now". This will force a replication of any changed data between your two DCs.
Wait a couple of minutes and have a look in Event Viewer. You will see nasty messages if there are problems with replication between your DCs.
- How can I test my DNS ?
To test your DNS, are you scared of the command prompt? The reason I ask is because the best DNS testing tool in my experience is NSLOOKUP, which is a DOS program that is already installed on all Windows machines. PING also forces a DNS query (ie if you type the following:
IPCONFIG /FLUSHDNS
PING SERVER.DOMAIN.LOCAL
at the command prompt and your computer successfully determines SERVER.DOMAIN.LOCAL's IP Address then your DNS is working (the IPCONFIG command flushes the computer's local DNS cache so that it is forced to re-query the default primary DNS server to translate the name into an IP address) (Obviously substitute a valid, internal, computername in place of SERVER.DOMAIN.LOCAL)
NSLOOKUP is a very handy tool and you should learn how it works (google it), that knowledge will stand you in good stead for managing a network.
Also, load up the DNS management console from the Administrative Tools. Make sure that you have both DNS Servers listed. Right click on one of the servers and choose Properties. Switch to the Monitoring tab and put a tick mark (check mark if you're US) in both tick boxes. Then hit Test Now. If you get a pass on both tests, that is nice. If you don't, post back here about it.
If your OLD DNS server was working just fine, and is the Primary DNS server and is always available, then you might never get client issues even if the new, secondary DNS server is faulty. But what might happen is that after the client PC's DNS caches start to expire, you start to get seemingly random problems across the network. PCs will query the secondary DNS server less often, and so things that don't work won't be consistent even on the same PC. But that is only assuming that the new DNS server does actually go wrong which is unlikely.
- Any additional configurations I need to check ?  
If you've done the above then you've already checked the Event Viewer and hopefully spotted any scary messages, use EVENTID.NET to diagnose them, or post back here.
Create a new user, or OU, or distribution list, using ADU&C (leave it running, just minimise it). Force a replication using ADS&S (we did that earlier). Bring ADU&C back up and use "Connect to a Domain Controller" to switch to the other DC. Look for your new item you just created. Judging by the size of the network you've described replication should be near enough instant so you should already be able to see the newly created item, listed on the other DC.
Joe
0
 
LVL 59

Assisted Solution

by:Darius Ghassem
Darius Ghassem earned 100 total points
ID: 33747861
What you would need to do is run dcdiag to check for any errors.

For you to fully test you would have to transfer fsmo roles over to the secondary DC. Make sure the secondary DC was a Global Catalog.

Then you could shutdown the old DC for a quick test
0
 
LVL 3

Assisted Solution

by:joesinc
joesinc earned 200 total points
ID: 33747874
JohnThePro: Would it be fair to say that if you do your test, the workstation could in theory carry out the authentication locally using cached credentials, and the test might give a false positive?
0
 
LVL 38

Assisted Solution

by:ChiefIT
ChiefIT earned 100 total points
ID: 33751980
I agree with dariusg:

go to the command prompt and type these two commands:

DCdiag /v
DCdiag /test:dns

That tests your DC for you using a Microsoft utility.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 2

Author Closing Comment

by:atigris
ID: 33850564
Did all of the above mentioned tests and it was successful, I just forgot to add the secondary server  to the DHCP (DNS) list.
0
 
LVL 7

Expert Comment

by:JohnThePro
ID: 33851997
Joe,

I don't think so. That's why I asked him to reboot his workstation and to try a sign-in again. The reboot will wipe the Kerberos token, and force the user to reauthenticate.
0
 
LVL 2

Author Comment

by:atigris
ID: 33852267
what I actually have done is created a new account (test account) before shutting down the DC. waited for the replication to complete. then I trued off the DC and kept the secondary DC ON.

Then login to a workstation on the network (never logged on it before - so no cached credentials)
 it worked without a restart the PC.

I also did ipconfig /flushdns and ipconfig /regiserdns

I got IP from the secondary DHCP pool and the DNS was from the secondary server

I was able to ping Google by name and IP, and I was able to ping local workstations and servers by name and IP.

I guess this was a live DR test. Thanks everyone.
0
 
LVL 7

Expert Comment

by:JohnThePro
ID: 33852641
Great job. Glad you got it.
0
 
LVL 3

Expert Comment

by:joesinc
ID: 33852700
John,
Just a quickie because if you're right then my understanding of cached credentials is wrong and I'm always keen to learn. This is from http://support.microsoft.com/kb/913485
Access to machine resources when a domain controller is unavailable
After a successful domain logon, a form of the logon information is cached. Later, a user can log on to the computer by using the domain account, even if the domain controller that authenticated the user is unavailable. Because the user has already been authenticated, Windows uses the cached credentials to log the user on locally. For example, suppose a mobile user uses a domain account to log on to a laptop that is joined to a domain. Then, the user takes the laptop to a location where the domain is unavailable. In this scenario, Windows uses the cached credentials from the last logon to log the user on locally and to allocate access to local computer resources.
The 'reboot and login again' method could produce a false positive, couldn't it? I mean if all you do is login. Cached credentials is intended to smooth out the login process and would allow the user to reach the desktop and use local resources. However if you go further, and actively browse network shares or something along those lines then I guess the cached credentials login would be queried against the DC and that is the point at which it would show up if the backup DC was doing it's job properly?
It's a subtle point but an important one, yes?
Joe
0
 
LVL 7

Expert Comment

by:JohnThePro
ID: 33854813
Joe,

You're absolutely correct and I feel like I may Have some brushing up to do. The problem may not have made itself known until he tried to explore other network resources.
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now