Currently, if the administrator mistakenly calls "-transitionToActive" on one NN while the other one is still active, all hell will break loose. We can add a simple check by having the NN make a getServiceState() RPC to its peer with a short (~1 second?) timeout. If the RPC succeeds and indicates the other node is active, it should refuse to enter active mode. If the RPC fails or indicates standby, it can proceed.
This is just meant as a preventative safety check - we still expect users to use the "-failover" command which has other checks plus fencing built in.