I just added a Backup Domain Controller to my environment, How would I Test it?

Hello Everyone;

I just promoted a member server to be backup domain controller and it seems to be working fine. I can see all the users and groups in the ADU&C on the new Backup DC

I also made it a backup DNS server and added the server IP Address to DHCP so that all users can see the secondary DNS address when they do IPconfig.

My question is:

- How could I test the backup domain controller is actually working?
- How can I test my DNS ?
- Any additional configurations I need to check ?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

John JenningsOwnerCommented:
For the most part, if you have access to the PDC (and assuming youve seperated roles successfully) one quick way to test your DCs is to disable the NIC on your PDC. Then the BDC will be forced to take over. Reboot your workstation during this time, and see if you can sign-in after the reboot. This will let you know whether or not its functioning correctly.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial

When you run "Active Directory User and Computer" (ACU&C) on any computer (a workstation or a server), it loads up and then consults the Active Diretory to find out the list of Domain Controllers in the domain and then connects to one of the DCs.
Just because you run ADU&C on a given server doesn't necessarily mean that you are connecting to that specific DC to read the AD information. It you have two DCs then 50% of the time you might get the other DC. (Advanced level: If you have DCs in multiple locations, and correctly configured Subnets in the Sites and Services tool, then you will get DCs local to the machine you are running ADU&C from, but I don't think that is relevant here).
You can force the DC. If you load up ADU&C, you can right click on the top entry in the tree listing on the left hand column (the top entry should be "Active Directory Users and Computers") and choose "Connect to Domain Controller". You will see a dialog box which details the DC you are currently connected to, and the opportunity to connect to a different DC. The mere presence of both of your DCs in that list is the first good sign that your DC is working OK.

Next, you can load up Active Directory Site and Services (ADS&S). Same principle applies here, the tool will query the AD for available DCs and connect to a random one of them. In ADS&S you should see a site called "Default-First-Site-Name" (unless you've renamed it, which is a completely valid thing to have done and I would recommend that you do to make everything look nice - there shouldn't be any negative consequences of changing this name in here).
Browse into the site and you should see "Servers" and under there your two server names, and under each server name "NTDS Settings". NTDS Settings detail the direction that replication will take place between your DCs. You should see at least one <automatically generated> entry for each server's NTDS settings. Right click on the <automatically generated> and choose "Replicate Now". This will force a replication of any changed data between your two DCs.
Wait a couple of minutes and have a look in Event Viewer. You will see nasty messages if there are problems with replication between your DCs.
- How can I test my DNS ?
To test your DNS, are you scared of the command prompt? The reason I ask is because the best DNS testing tool in my experience is NSLOOKUP, which is a DOS program that is already installed on all Windows machines. PING also forces a DNS query (ie if you type the following:
at the command prompt and your computer successfully determines SERVER.DOMAIN.LOCAL's IP Address then your DNS is working (the IPCONFIG command flushes the computer's local DNS cache so that it is forced to re-query the default primary DNS server to translate the name into an IP address) (Obviously substitute a valid, internal, computername in place of SERVER.DOMAIN.LOCAL)
NSLOOKUP is a very handy tool and you should learn how it works (google it), that knowledge will stand you in good stead for managing a network.
Also, load up the DNS management console from the Administrative Tools. Make sure that you have both DNS Servers listed. Right click on one of the servers and choose Properties. Switch to the Monitoring tab and put a tick mark (check mark if you're US) in both tick boxes. Then hit Test Now. If you get a pass on both tests, that is nice. If you don't, post back here about it.
If your OLD DNS server was working just fine, and is the Primary DNS server and is always available, then you might never get client issues even if the new, secondary DNS server is faulty. But what might happen is that after the client PC's DNS caches start to expire, you start to get seemingly random problems across the network. PCs will query the secondary DNS server less often, and so things that don't work won't be consistent even on the same PC. But that is only assuming that the new DNS server does actually go wrong which is unlikely.
- Any additional configurations I need to check ?  
If you've done the above then you've already checked the Event Viewer and hopefully spotted any scary messages, use EVENTID.NET to diagnose them, or post back here.
Create a new user, or OU, or distribution list, using ADU&C (leave it running, just minimise it). Force a replication using ADS&S (we did that earlier). Bring ADU&C back up and use "Connect to a Domain Controller" to switch to the other DC. Look for your new item you just created. Judging by the size of the network you've described replication should be near enough instant so you should already be able to see the newly created item, listed on the other DC.
Darius GhassemCommented:
What you would need to do is run dcdiag to check for any errors.

For you to fully test you would have to transfer fsmo roles over to the secondary DC. Make sure the secondary DC was a Global Catalog.

Then you could shutdown the old DC for a quick test
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

JohnThePro: Would it be fair to say that if you do your test, the workstation could in theory carry out the authentication locally using cached credentials, and the test might give a false positive?
I agree with dariusg:

go to the command prompt and type these two commands:

DCdiag /v
DCdiag /test:dns

That tests your DC for you using a Microsoft utility.
atigrisAuthor Commented:
Did all of the above mentioned tests and it was successful, I just forgot to add the secondary server  to the DHCP (DNS) list.
John JenningsOwnerCommented:

I don't think so. That's why I asked him to reboot his workstation and to try a sign-in again. The reboot will wipe the Kerberos token, and force the user to reauthenticate.
atigrisAuthor Commented:
what I actually have done is created a new account (test account) before shutting down the DC. waited for the replication to complete. then I trued off the DC and kept the secondary DC ON.

Then login to a workstation on the network (never logged on it before - so no cached credentials)
 it worked without a restart the PC.

I also did ipconfig /flushdns and ipconfig /regiserdns

I got IP from the secondary DHCP pool and the DNS was from the secondary server

I was able to ping Google by name and IP, and I was able to ping local workstations and servers by name and IP.

I guess this was a live DR test. Thanks everyone.
John JenningsOwnerCommented:
Great job. Glad you got it.
Just a quickie because if you're right then my understanding of cached credentials is wrong and I'm always keen to learn. This is from http://support.microsoft.com/kb/913485
Access to machine resources when a domain controller is unavailable
After a successful domain logon, a form of the logon information is cached. Later, a user can log on to the computer by using the domain account, even if the domain controller that authenticated the user is unavailable. Because the user has already been authenticated, Windows uses the cached credentials to log the user on locally. For example, suppose a mobile user uses a domain account to log on to a laptop that is joined to a domain. Then, the user takes the laptop to a location where the domain is unavailable. In this scenario, Windows uses the cached credentials from the last logon to log the user on locally and to allocate access to local computer resources.
The 'reboot and login again' method could produce a false positive, couldn't it? I mean if all you do is login. Cached credentials is intended to smooth out the login process and would allow the user to reach the desktop and use local resources. However if you go further, and actively browse network shares or something along those lines then I guess the cached credentials login would be queried against the DC and that is the point at which it would show up if the backup DC was doing it's job properly?
It's a subtle point but an important one, yes?
John JenningsOwnerCommented:

You're absolutely correct and I feel like I may Have some brushing up to do. The problem may not have made itself known until he tried to explore other network resources.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.