Hello all, I am really getting frustrated with this and hope some of you can guide me in the right direction. currently getting close to giving up on UCS.

Here is the scenario. I do not want to remove the Windows domain until I get comfortable with UCS. I still have exchange 2013 and looking for a solution to change in the near future. I have FreeNAS and want it to connect to UCS for users, groups, etc.

The idea is to maintain my users and groups in Windows 2012 R2 and have it sync with uCS with either by having UCS as part of domain as a controller or having just sync the accounts.

I have re-installed a new Domain Controller in the lab and trying to connect the UCS to it. It is just not working and I am getting frustrated. According to Univention this should be a simple process… well I can tell you it is not.

Here is the message I am receiving :

The command has failed: Could not connect to AD Server ddd.aaaa.ca. Please verify that the specified address is correct.

If have tried connecting with the IP Address, the Domain name and the FQDN always with the same results. Both devices are in the same network so no firewall blocking this connection. Both UCS and DC resolve each other with both having entries in each others DNS servers.

Version of Windows : 2012 R2
Version of UCS : 4.1.4 (Tried with 4,1,3 with same results)

Your help would be greatly appreciated.

is the AD DNS Server konfigured as forwarding target in UCS ? If not you should change this, because it wouldn’t find the AD Domain DNS entries on his local DNS or external DNS

rg
Christian

Hello Christian, yes the DNS of the AD is set as forwarding address in UCS. As mentioned both resolve each other.

The aaaa.ca is an Entry in the DNS of UCS with both entries (UCS and DC)

It is very easy and works first time

BUT…

1. ensure ALL your equipment is using the SAME DNS resolver
2. no port filters
3. check your current domain names ALL resolve to the same place at all locations.
4. ENSURE that the order of DNS resolving servers is correct, ALWAYS resolve to the AD server first

So getting better but still no success. I see it talk to the domain controller. it gets to 90% running samba scripts, and then 100% with the message:

Could not connect to AD Server xxx.yyy.zzz. Please verify that the specified address is correct.

If I look at the AD the UCS is identified in the Computer objects, and not a domain controller. Accounts are not being synced.

Can anyone point me to where the logs are found so that I can see where this dies ?

Thanks

The logs are usually located in /var/log/univention.

As I am not sure which one applies here I would suggest to reproduce the error and run “ls -ltr /var/log/univention”.

hth,
Dirk

So here is the log for check_join_status.log

LDAPv3

base <dc=yyy,dc=zzz> with scope baseObject

filter: (objectclass=*)

requesting: ALL

yyy.zzz

dn: dc=yyy,dc=zzz
objectClass: top
objectClass: krb5Realm
objectClass: univentionPolicyReference
objectClass: nisDomainObject
objectClass: domainRelatedObject
objectClass: domain
objectClass: univentionBase
objectClass: univentionObject
dc: yyy
univentionObjectType: container/dc
krb5RealmName: yyy.zzz
nisDomain: yyy.zzz
associatedDomain: yyy.zzz
univentionPolicyReference: cn=default-settings,cn=thinclient,cn=policies,dc=yyy,dc=zzz
univentionPolicyReference: cn=default-settings,cn=pwhistory,cn=users,cn=polici
es,dc=yyy,dc=zzz
univentionPolicyReference: cn=default-users,cn=bbbb-settings,cn=users,cn=poli
cies,dc=yyy,dc=zzz

search result

search: 3
result: 0 Success

numResponses: 2

numEntries: 1

Joined successfully

Joined successful yet message in gui states differently. UCS server is in AD as a computer after the run to join.

samba.sync.log file is empty. Accounts are not being synced. Is the sync immediate? Is the message in the gui bogus and I just need to wait a while for the accounts to sync?

The ad-connector-certificate.log is empty

One thing still bothering me. when I ssh to UCS and I dig/nslookup the ad server both by name and by IP the UCS resolves my ad server. The UCS is using the AD server to resolve. Yet when I run the join it needs to IP to start join. When I enter the FQDN is does not work.

Thanks everyone for your help

Here is the error message just at the point I hit 100%
and then the other message I receive at the end.

so, the code throws this error message when:

except admember.failedADConnect as exc: _err(exc, _('Could not connect to AD Server %s. Please verify that the specified address is correct.') % ad_domain_info.get('DC DNS Name'))

So it seems like a DNS Problem. You say, you can only even start the join with the IP Address? that rings not right with me. You say you have the Windows Server in a lab - do you have the ucs server there also? are they in the same network segment and 100% not connected to the productive segment? Are you able to reinstall the UCS (if yes: create a new windows server with only DNS Server and the most needed components, then create a new UCS and use the AD-Connector - mode at the installation)?