Home / server / Questions / 554754
Accepted
CJM
Asked: 2013-11-14 08:23:57 +0800 CST

Upon failure of DC, force server to find Secondary DC

  • 772

In this SF question, I asked how to determine which DC a server was talking to. We are doing some resilience testing and need to demonstrate to the client that if a DC fails, there are additional DCs available to take the strain.

With nltest, I can determine which DC I'm talking to at any given time. But if we fail the current DC, how do we force the server to re-evaluate which other DCs it can talk to and then connect to one... such that 'nltest' will reflect the new DC?

Ideally I've like some sort of operation I can run within the same Windows session, but thus far we logged out and back in again. My concern with logging in/out is that cached credentials might complicate the picture.

In short, in the event of a DC failure, what is the simplest/quickest/safest way of making the server connection to a secondary DC?

active-directory

3 Answers

  1. In short, in the event of a DC failure, what is the simplest/quickest/safest way of making the server connection to a secondary DC?

    Type set log on the client to see which DC you logged on with. Kill that DC. Run Wireshark/Netmon while you run klist purge and then C:\> net stop netlogon & net start netlogon on the client.

    Or just wait until the client needs something from AD. It's smart enough to try other DCs in its site if it can't contact the first one.

    As an opinionated aside, it's pretty stupid of your client to ask you to demonstrate for them the advertised capability of the #1 directory service in the world, used by literally millions of people around the globe... but then again, I understand that clients sometimes ask for stupid things.

    • 5

  2. Login with 2-3 accounts on a fresh machine. Login 1, turn down current dc, logout, login second account. As those accounts have no profile on the machine, it will demonstrate failover.

    • 4
  3. Best Answer

    Actually this "failover" mechanism should happen automatically. DNS client (whenever we talk about a Server o Workstation) will ask to its primary DNS server for a DC, so the mechanism is ask the DNS server for an aditional DC. You can use nltest /sc_reset to reset the Net logon secure channel and then restablish it again.

    I think best way to prove that "failover" is to simulate a fail in the DC (for example, unplug the Ethernet if is that possible) and then check again the net logon secure channel with nltest (you should use the /force modifier in order to bypass any cached information)

    • 1