AD Backup Controller

I have installed UCS and was able to complete the setup for a bi-directional AD synchronization successfully.

That said, I am somewhat confused by the outcome. I mean I do the the UCS system being listed as a DC on the windows server which is great. However, I was also expecting to see AD data in UCS and I neither see users nor computers being listed. Furthermore, I was expecting that I can use AD user names to logon to UCS, but that also doesn’t seem to work.

So, did something go wrong for me or is this normal behavior or am I missing a step somewhere?

I was basically hoping to create an AD backup server that can be used for user authentication if the existing Microsoft AD server is down for any reason. Can I accomplish this?

You cannot mix Windows-based AD DCs and Samba-based AD DCs as Samba doesn’t implement the distributed file system required for syncing the sysvol share between all AD DCs (that’s where the GPOs are stored).

You can have your Samba server join a Windows-DC-managed AD domain as a member server, or you can have an AD domain served purely by UCS Samba-based AD DCs (as UCS comes with a share synchronization mechanism that doesn’t use the DFS but rsync over ssh — but that only works between UCS servers, not between a UCS server and a Windows server).

There are actually two different ways for integrating a UCS server into a Windows-DC-served AD domain. Read the documentation carefully for more information.

Hi Moritz,

Thank you for your reply. Your explanation makes sense.

I have followed the instructions shown on this page:

In specific, I have followed the bi-directional synchronization setup for “Synchronization of Active Directory and UCS domains” and the setup process completed successfully. UCS also shows as a DC on the Windows DC.

In the documentation referred above it further says:
“UCS allows automatic synchronisation of encrypted passwords, group definitions and other directory service objects between Microsoft Active Directory and Univention Corporate Server so that all data are stored in parallel both in Active Directory and LDAP.”

I think the same information is shown in the documentation under 9.3.2. with me using the option shown under 9.3.3.1. The text below 9.3.5. also seems to imply that I should expect to see AD objects like computers, groups and users, but I don’t see any of them.

Was I supposed to join the Microsoft AD during setup? I have chosen to create a new UCS domain instead assuming that the connector would be able to do the necessary steps later on.

If that is indeed the case, I am guessing that I need to start over, correct?

Do I also need to install the “Active Directory Domain Controller” module?

Thank you for your time and feedback!

If you want to provide file shares, the member mode is better (and yes, you’ll have to reinstall the server in order to join the existing AD as a member server).

The sync mode is useful if all you want to do is run several apps on Linux using the same account/login information, e.g. if you want to run things like Nextcloud or Rocket Chat from the app center.

You cannot simply add the “Active Directory Domain Controller” on top of your current setup. The result would be having two distinct AD domains with the same name — a surefire recipe for disaster.

I should probably give a better explanation on what I am trying to accomplish.

At the moment, we are using a Microsoft Server for user authentication in a small office environment. So, the system doesn’t do anything other than authenticating domain users and giving them their home directory linked to their user account.

Before doing another costly server upgrade, we are looking for a potential replacement. As part of this process, we discovered UCS and it seems to check all the boxes for us. In fact, it might even give us some bonus features if we opt to install additional applications.

Now, we would like to test if it is working before we are jumping the gun and make the big move to UCS. So, I would like to pull all relevant information (computers, groups and users) from our Microsoft AD server and then I want to shut down our existing server to see if users can logon without any further changes.

My current understanding is that if I just join the domain during installation, UCS becomes a read-only domain member. Since this type of installation doesn’t even ask me to install our Microsoft AD root certificate, I doubt that it will be able to handle domain authentications for existing users. It seems that this mode is designed to create a copy and then Microsoft AD users can logon to UCS using their existing credentials.

So, I guess my big question is can we accomplish what I outlined above with UCS? If so, what do we need to install in what order? Reading the documentation I thought that the bi-directional synchronization would copy all relevant AD objects, but even though it completed successfully for us, it didn’t copy any user data.

Just to clarify: For testing purposes, we would initially like to use UCS as a backup AD server for the existing Microsoft AD server. So, it should be able to take over if the primary server is down. Once functionality has been established, we would like to retire the Microsoft Server and use UCS as the primary AD server for our Windows workstations.

Hope this helps and thank you again for your time. I really appreciate you trying to help me!