UCS AD Conncetor and Windows 2012 Domain

Do I need to also have Active Directory-compatible Domain Controller installed as well? As currently it is NOT installed only Active Directory Connection is installed.

No, you do not need the Active Directory Domain Controller. The step-by-step instructions I sent are verified in a lab-environment so there must be something in your environment, that is causing the fails. Maybe the network environment? Configuration of the Windows Server, that activly hinders the connection?

Further:

Maybe a routing issue?

I am really sorry, but can it not be that you use an Administrator that is either not allowed to do the join/connect? Or that the password has a typo or the likes? I mean: If the system at the point “Give User/Password” tells you the typed in user/passwort is wrong.

Ok it does look like a possible routing issue…

Going from the UCS to the Windows AD Server:
From MTA 5 to MTA 1

root@bebucsmtasvrp5:~# traceroute bebw12mtasvrp1.bebconsultingservices.com
traceroute to bebw12mtasvrp1.bebconsultingservices.com (104.153.46.198), 30 hops max, 60 byte packets
1 64.111.20.201 (64.111.20.201) 0.643 ms 0.635 ms 0.845 ms
2 vs201.cor1.cos1.vis.data102.com (64.111.16.192) 0.592 ms 0.606 ms 0.608 m s
3 g0-1.edge3.cos1.vis.data102.com (64.111.16.219) 1.279 ms 1.280 ms 1.280 m s
4 gi0-0-0-0.rcr11.cos01.atlas.cogentco.com (38.101.50.117) 1.273 ms 1.526 ms 1.527 ms
5 te0-7-0-8.ccr22.den01.atlas.cogentco.com (154.54.40.18) 3.221 ms 3.233 ms 3.229 ms
6 be3036.ccr22.mci01.atlas.cogentco.com (154.54.31.90) 14.634 ms 14.676 ms 14.681 ms
7 be2832.ccr42.ord01.atlas.cogentco.com (154.54.44.170) 26.438 ms 26.450 ms 26.447 ms
8 be2718.ccr22.cle04.atlas.cogentco.com (154.54.7.130) 33.332 ms 33.226 ms 33.505 ms
9 be2890.ccr42.jfk02.atlas.cogentco.com (154.54.82.246) 45.027 ms 45.441 ms 45.441 ms
10 be2855.ccr22.jfk04.atlas.cogentco.com (154.54.7.6) 45.415 ms 45.428 ms 45.926 ms
11 38.88.134.18 (38.88.134.18) 46.228 ms 46.777 ms 46.788 ms
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
root@bebucsmtasvrp5:~#

Going from the Windows AD Server to UCS…

From MTA 1 to MTA 5

Tracing route to bebucsmtasvrp5.bebconsultingservices.com [64.111.20.203]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 199.231.92.1
2 1 ms 1 ms 1 ms 38.88.134.17
3 1 ms 1 ms 2 ms be2855.ccr42.jfk02.atlas.cogentco.com [154.54.7.5]
4 13 ms 13 ms 13 ms be2890.ccr22.cle04.atlas.cogentco.com [154.54.82.245]
5 21 ms 21 ms 21 ms be2718.ccr42.ord01.atlas.cogentco.com [154.54.7.129]
6 33 ms 33 ms 33 ms be2832.ccr22.mci01.atlas.cogentco.com [154.54.44.169]
7 44 ms 44 ms 44 ms be3036.ccr22.den01.atlas.cogentco.com [154.54.31.89]
8 46 ms 46 ms 46 ms te0-0-2-2.rcr11.cos01.atlas.cogentco.com [154.54.40.17]
9 46 ms 46 ms 58 ms Optimum_Network_Services.demarc.cogentco.com [38.101.50.118]
10 46 ms 46 ms 46 ms g7-10.core1.cos1.vis.data102.com [64.111.16.218]
11 46 ms 46 ms 46 ms vs201.dist3.cos1.vis.data102.com [64.111.16.193]
12 46 ms 48 ms 46 ms 64.111.20.203

Trace complete.

So I think I will open a case with the ISP/Co-Location for UCS.

Thanks…I will update again if we have more issues…or something else.

The password has been reset twice to a very simple password. It is so simple there is no way it could be type wrong. We even disabled password complexity.

We changed the password to “Icantgetin” (it is no longer that password…LOL) and it still FAILS.

I think it might be something with routing as the trace routes don’t look right from UCS to Windows, but Windows to UCS is OK.

Well we have had ISPs at both ends check the routing, that is GOOD.

We also opened ALL AD required firewall ports in Windows Firewall

DNS resolves correctly.

There is no firewall at the ISP ends blocking traffic.

The password for Administrator has been reset multiple times. Plus has been simplified.

We have other servers join the AD Domain without issues. This is the ONLY server that seems to have this problem.

Could it be the way the password/user is encrypted on the UCS side and sent to the AD side, in a way the AD side does not understand? As the password is TYPED correctly, we even cut and pasted it to prevent typos.

I am not sure if the Free Core Edition has formal support with Univention or not but this is starting to look like some sort of bug somewhere. There is nothing on the AD side that should be blocking this, other than the password being hashed in a way that is incompatible with Windows 2012 AD.

[quote=“BrianBonnell”]
I am not sure if the Free Core Edition has formal support with Univention or not but this is starting to look like some sort of bug somewhere. There is nothing on the AD side that should be blocking this, other than the password being hashed in a way that is incompatible with Windows 2012 AD.[/quote]

If the password send from the UCS to the windows server is hashed in a way, that the Windows Server does not understand, shouldn’t I encounter the problem in my testing environment too and other customers also? Can you set up a lab, where you setup a UCS and a Windows Server with the same names, etc. in the same address range (and additionally a different range including routing) and try it for yourself in a controlled environment?

We have created a lab.

Same as our production setup, we used the NEW (fresh download) install media (ISO) for both the Windows 2012 and Univention Corporate Server 4.1.4. The only change is in the LAB there is NO routing as it is all on the same subnet (192.168.100.0/24)

We get the exact same errors when we attempt to make a connection to the AD server from UCS using AD Connector.

We are going to try one thing in the lab that was not done in production:

Our Windows System engineer, suggests we try RAISING the FOREST/DOMAIN Level to Windows 2008. It is currently running in the LAB and PROD as Windows 2003 Forest/Domain level.

He recalls that Microsoft has stopped all support for Windows 2003 this might also include supporting the Forest/Domain level of Windows 2003, he is wondering if it is possibly that UCS is using a method that is actually compatible more with Windows 2008 for the AD Connection than it is compatible with Windows 2003 (As Univention developers might have anticipated the removal of support for Windows 2003) OR that a Microsoft has released a patch that has been applied to our Windows 2008/2012 Servers has altered the SSL encryption tokens/hash scheme and has removed the SSL encryption support for Windows 2003 there by causing the user password to FAIL because the Univention system is using Windows 2008 SSL tokens/hashing and the AD servers is set to use Windows 2003 SSL tokens/hashing to make AD Connections. Which would explain why the Windows to Windows server ADDs to the DOMAIN work just fine, but the UCS to Windows server ADDs to the DOMAIN all fail.

Not sure if this is possible but we will try it in our lab and see what happens.

Raising the domain/forest level had no impact in the lab. We have tried using our Primary AD Server and our Secondary AD Server in the Active Directory Connection wizard. Both by FQDN and by IP. With no success with either one. We have opened all AD required firewall ports and added UCS Domain Master ports to be open on the Windows Firewalls, we have checked for any routing issues and those have been corrected, still no success.

This worked prior to rebuilding UCS under 4.1-4.

The only error we are getting in this whole thing is in the log file /var/log/univention/management-console-module-adconnector.log and the entry is:

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @104.153.46.198
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 37147
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;. IN NS

;; Query time: 112 msec
;; SERVER: 104.153.46.198#53(104.153.46.198)
;; WHEN: Thu Dec 1 13:39:07 2016
;; MSG SIZE rcvd: 17

01.12.16 13:39:07.277 MODULE ( PROCESS ) : stderr:
01.12.16 13:39:07.370 MODULE ( PROCESS ) : AD Info: {‘Domain’: ‘bebconsultingservices.com’, ‘LDAP Base’: ‘DC=bebconsultingservices,DC=com’, ‘Forest’: ‘bebconsultingservices.com’, ‘Client Site’: ‘Default-First-Site-Name’, ‘DC Netbios Name’: ‘BEBW12MTASVRP1’, ‘DC DNS Name’: ‘BEBW12MTASVRP1.bebconsultingservices.com’, ‘Netbios Domain’: ‘BEBCONSULTING’, ‘DC IP’: ‘104.153.46.198’, ‘Server Site’: ‘Default-First-Site-Name’}
01.12.16 13:39:07.479 MODULE ( WARN ) : Failure:
01.12.16 13:39:07.479 MODULE ( PROCESS ) : The command has failed: Could not connect to AD Server BEBW12MTASVRP1.bebconsultingservices.com. Please verify that username and password are correct.
01.12.16 13:49:07.144 MAIN ( WARN ) : Shutting down all open connections
01.12.16 13:49:40.521 DEBUG_INIT
01.12.16 13:50:15.946 MODULE ( PROCESS ) : Lookup ADDS DC
01.12.16 13:50:16.005 MODULE ( PROCESS ) : running [‘dig’, '@104.153.46.198’]
01.12.16 13:50:16.140 MODULE ( PROCESS ) : stdout:
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @104.153.46.198
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 10904
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;. IN NS

;; Query time: 112 msec
;; SERVER: 104.153.46.198#53(104.153.46.198)
;; WHEN: Thu Dec 1 13:50:16 2016
;; MSG SIZE rcvd: 17

01.12.16 13:50:16.140 MODULE ( PROCESS ) : stderr:
01.12.16 13:50:16.236 MODULE ( PROCESS ) : AD Info: {‘Domain’: ‘bebconsultingservices.com’, ‘LDAP Base’: ‘DC=bebconsultingservices,DC=com’, ‘Forest’: ‘bebconsultingservices.com’, ‘Client Site’: ‘Default-First-Site-Name’, ‘DC Netbios Name’: ‘BEBW12MTASVRP1’, ‘DC DNS Name’: ‘BEBW12MTASVRP1.bebconsultingservices.com’, ‘Netbios Domain’: ‘BEBCONSULTING’, ‘DC IP’: ‘104.153.46.198’, ‘Server Site’: ‘Default-First-Site-Name’}
01.12.16 13:50:16.344 MODULE ( WARN ) : Failure:
01.12.16 13:50:16.344 MODULE ( PROCESS ) : The command has failed: Could not connect to AD Server BEBW12MTASVRP1.bebconsultingservices.com. Please verify that username and password are correct.
01.12.16 14:00:16.316 MAIN ( WARN ) : Shutting down all open connections

These logs are empty…
ad-connector-certificate.log
connector.log

The log file connector-status.log has this…

root@bebucsmtasvrp5:/var/log/univention# cat connector-status.log
Thu Dec 1 13:10:36 2016
connector/ad/ldap/host not set

We have tried several different passwords for Administrator on the Windows Side. All with the same error. We REALLY need to get this working. To provide UCS Resources to Windows Users and Windows Resources to UCS Users.

I am pushing to get formal Univention Support Subscription purchased, but that will take several weeks to get approved.

01.12.16 13:39:07.277 MODULE ( PROCESS ) : stderr: 01.12.16 13:39:07.370 MODULE ( PROCESS ) : AD Info: {'Domain': 'bebconsultingservices.com', 'LDAP Base': 'DC=bebconsultingservices,DC=com', 'Forest': 'bebconsultingservices.com', 'Client Site': 'Default-First-Site-Name', 'DC Netbios Name': 'BEBW12MTASVRP1', 'DC DNS Name': 'BEBW12MTASVRP1.bebconsultingservices.com', 'Netbios Domain': 'BEBCONSULTING', 'DC IP': '104.153.46.198', 'Server Site': 'Default-First-Site-Name'} 01.12.16 13:39:07.479 MODULE ( WARN ) : Failure: 01.12.16 13:39:07.479 MODULE ( PROCESS ) : The command has failed: Could not connect to AD Server BEBW12MTASVRP1.bebconsultingservices.com. Please verify that username and password are correct. 01.12.16 13:49:07.144 MAIN ( WARN ) : Shutting down all open connections 01.12.16 13:49:40.521 DEBUG_INIT 01.12.16 13:50:15.946 MODULE ( PROCESS ) : Lookup ADDS DC 01.12.16 13:50:16.005 MODULE ( PROCESS ) : running ['dig', ['@104.153.46.198](mailto:'@104.153.46.198)'] 01.12.16 13:50:16.140 MODULE ( PROCESS ) : stdout: ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @104.153.46.198 ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 10904 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

The UCS cannot reach the AD - the answer (incorrect username/password may be misleading if the server is not reached at all) is rather clear. I do not understand, why a UCS would not reach the DC if the IP Config is okay (i.e. for a lab-env in the same subnet) and there are no additional network routing, etc. between them. Since I cannot reproduce the error in any way I am sure there must be something we still do not know about your environment, that hinders the connection. That has to be present at the lab too.

Well I guess I will have to wait and see if I get formal support subscription approved. I’m not sure how I could provide environment infomation. It pretty much as been provided in this thread.

Its pretty basic…
We have two windows servers in Co-Location A, the UCS Server in Co-Location B. There are no physical firewalls on these servers on their internet connections. No ports are being blocked. Windows Firewall has all AD ports and UCS Domain ports opened on both our Primary Windows AD and Secondary Windows AD. Both Windows ADs provide DNS services. Other Windows Systems have NO issues finding and joining the Windows Domain.

This was working under 4.0.x and 4.1-3. We had to rebuild it so we rebuilt it to the latest version 4.1.4 and ever since AD Connector has not worked.

We did the same setup in our lab. Only difference is there is NO CO-LOCATION for the lab.

Not sure what else I could provide.

[quote=“BrianBonnell”]
This was working under 4.0.x and 4.1-3. We had to rebuild it so we rebuilt it to the latest version 4.1.4 and ever since AD Connector has not worked.
[…]
Not sure what else I could provide.[/quote]

mostly, the difference between your lab and mine. As I said, it is working fine with my repeated installations of UCS and Windows Server in the versions you used and with the domain and servernames you have active (see above - I told of the the process earlier in detail). What do you mean by “rebuild”? I use a stock UCS and a stock Windows in the same physical space to cross out routing issues. Did you managed to fix the traceroute problem from the UCS?

The UCS cannot reach the Windows Server even if the Windowsserver is newly installed and the process of the AD-Join of the UCS happens within the installationroutine of the UCS, that problem has to be fixed first. Maybe hardware issues with the network of the UCS? More then one networkcard in the UCS and only one with an IP? Switchport dekativated, Networkcable defect, etc.?

Did you try another UCS 4.0 or 4.1-3 installation in the lab to verify that this works in this environment?

What do you mean by “rebuild”?

By rebuild I mean wipe the drives clean. Do a FRESH install of the Univention Corporate or Microsoft Windows 2012 R2 Standard OS.

Did you managed to fix the traceroute problem from the UCS?
After investigation by our co-location providers at both ends, it was discovered that there WAS no routing issues, the output for TRACEROUTE was NORMAL for both those providers.

Maybe hardware issues with the network of the UCS?
We have swapped hardware twice with known good hardware…same problem still results.

Did you try another UCS 4.0 or 4.1-3 installation in the lab to verify that this works in this environment?
4.0 and 4.1.3 do work in the lab. Out of pure curiosity we did an upgrade on the lab system to 4.1.4. and NOW AD Connector is now broke with the exact same errors.

So based on this SOMETHING with upgrading to 4.1.4 breaks AD Connector and a straight up 4.1.4 install does not work period with AD Connector.

With the install of 4.1.0 which also works for AD Connector, when joining to the AD we did not get this screen in the 4.1.4 install.


We are giving up on this at this time. We will rebuild again as 4.1.4 (We need to be the most current for security compliance.) so we will rebuild as a separate domain, with separate user logins and run Active Directory Compatible Controller as it’s own domain, with a subdomain in our DNS. We still still proceed with purchasing support as well. We just will run as two separate domains.

[quote=“BrianBonnell”]With the install of 4.1.0 which also works for AD Connector, when joining to the AD we did not get this screen in the 4.1.4 install.

[attachment=0]Missing Screen.jpg[/attachment][/quote]

This is kinda important: this screen tells you basically that another UCS master is already present in the network. Normally a fresh UCS joined in a windows AD will join as master - you do not get to choose a role. If you think you install the first UCS to the AD and you get this screen, there is an old master present in the AD somewhere. The AD has to be scrubbed then. I had another case in the forums regarding that, the most likely place is in this thread.

I am sorry you are giving up on the membermode but I think a Samba4 domain as you plan it will work too.

There has never been a UCS Master in the Production AD Domain, we have NEVER been able to get it to JOIN due to the previous forum replies. We have checked the production/development (lab) domains. There is NO other UCS Masters. In the lab we always do a FRESH install so it wipes out the AD and UCS domains each time we rebuild the lab. In production there is no UCS Master, as it NEVER joined the domain. We only have a Primary and Secondary Windows Active Directory Servers.

Since we cannot seem to get UCS AD Connector to work. We have built it as it’s OWN separate DOMAIN (FQDN:ucs.bebconsultingservices.com/NETBIOS:UCS) with separate user logins and passwords. Our end users will just have to maintain two accounts one for Windows Resources, and one for UCS Resources. As we could not wait for getting Official UCS Support (still waiting on Support Purchase approval on our end) and then open a case to see if UCS Support could fix the issue as we needed to get some production UCS applications ON-LINE for our end users. Once we get official UCS support, we can take another run at this issue in the LAB and work from there. Until then we will just have to have this configuration as a work around.

[quote=“BrianBonnell”]There has never been a UCS Master in the Production AD Domain, we have NEVER been able to get it to JOIN due to the previous forum replies. We have checked the production/development (lab) domains. There is NO other UCS Masters. In the lab we always do a FRESH install so it wipes out the AD and UCS domains each time we rebuild the lab. In production there is no UCS Master, as it NEVER joined the domain. We only have a Primary and Secondary Windows Active Directory Servers.
[/quote]

That is the point I mean with “There has to be something I do not know about your environment”. You say, there can not be another UCS Server (with many a capital word), but the UCS gets the information, that there is another server. Either we talk about different things when talking about “wiping” or the UCS tries to join another server or it can reach another net, or, or, or. To get to a conclusion, we would need to take a step back and have a look at the configuration of the lab and the servers therein I think.

One other thing: in the DNS there is a setting for “domaincontroller_master” - you can check if there is an entry for a server (that is one place, where the UCS sets himself up in the AD DCs).

[quote=“BrianBonnell”]
Since we cannot seem to get UCS AD Connector to work. We have built it as it’s OWN separate DOMAIN (FQDN:ucs.bebconsultingservices.com/NETBIOS:UCS) with separate user logins and passwords. Our end users will just have to maintain two accounts one for Windows Resources, and one for UCS Resources. As we could not wait for getting Official UCS Support (still waiting on Support Purchase approval on our end) and then open a case to see if UCS Support could fix the issue as we needed to get some production UCS applications ON-LINE for our end users.[/quote]

You can use the AD-Connector in Sync Mode (to sync userdata, etc.): https://docs.software-univention.de/manual-4.1.html#ad-connector:ad-connector-einrichtung Maybe that can help in your current situation.

[quote=“BrianBonnell”]
Once we get official UCS support, we can take another run at this issue in the LAB and work from there. Until then we will just have to have this configuration as a work around.[/quote]

We will need to have a closer look at the lab, etc. either way.

Hi Thorp-Hansen,

Hopefully I am not hijacking other members post but I think I am facing similar problem like BrianBonnell

Please check below link for details

Regards,
Nitin

I am unsure if we can compare these cases, since you seem to have created something like a forest structure and you seem to have general issues with DNS. Mr Bonnel has a seemingly working networkinfrastructur (from what I could gather) and DNS and the UCS cannot connect to the AD even if they stand in the same lab next to each other (at least that was my understanding and proposition for the last tests).

This issue is exactly what I had.

To resolve it was easy. Go to the DNS on your AD Domain Server and remove any existing DNS entries
equal to the one you’re trying to add.

I.e. if your ownloud computer has IP 172.22.40.100
most likely in the AD DNS there’s already an entry for that IP and thus it errors on you exactly the same way as you described, because I got exactly that same error message.

You might as well just erase all non-static IP anyway…

after it you can join the domain without an issue.

Mastodon