After installing AD takeover, I can't login anymore as Administrator

UCS - Univention Corporate Server
, ,
#1

Hi all. I am trying to use UCS 5 in an old network. They use an old win2012 server, which has some hw problem and is bluescreening once a week.

I tried UCS 5 in my homelab, created a new test domain, worked great, I loved it.

So, I tried to do the same in this network:

  1. Installed UCS5
  2. joined the domain
  3. installed the updates
  4. rebooted
  5. i set the license key to install the AD takeover to turn off that win2012 server (so: just installed, did not start it)
  6. someone called me at the phone, i came back after one hour, the session was logged out and… now i can’t login anymore as Administrator. It says wrong password. I can login as root on both the webpage (limited access) and the local terminal.

what can I do?

some troubleshooting from other topics:

kinit Administrator
kinit: Password incorrect

univention-check-join-status 
Joined successfully

ldapsearch -x -D "uid=Administrator,cn=users,$(ucr get ldap/base)" -w 'YOUR_PASSWORD' uid=Administrator 1.1
ldap_bind: Invalid credentials (49)

univention-ldapsearch -LLL uid=Administrator createTimestamp modifyTimestamp 
createTimestamp: [the time i installed the server, yesterday]
modifyTimestamp: [the exact time i installed the ad takeover program, today]

/etc/libnss-ldap.conf is referring to the ucs server itself

So, I don’t really know what to do now. I can wipe the server and delete all the info from active directory and try again, but i am scared it will happen again if i don’t know what happened, maybe i did some mistake in config…

edit: I tried to see the status of the name service cache daemon and i see this in the logs:

systemctl status nscd.service

nss-ldap: do_open: do_start_tls failed: stat=-1
nss_ldap: could not search LDAP server - Server is unavailable
#2
  1. Did you check if the “Administrator” pw from the 2012 join , has been transferred over to the new DC.
    2.Password, locked out
#3

for my sanity, the admin/root password in all the servers was the same. Also the AD master restore password is the same. I could login to win2012 with that password…

in the logs looks like the takeover did not start (log files are completely missing), i just installed the app, did not start

in connector-s4.log I see some (PROCESS): sync AD > UCS: Resync rejected dn: 'CN=Protected Users,CN=Users..."

#4

I give up.

I just fix computers for a low hourly rate, not a network sysadmin, i can’t understand what’s going on

In my virtual homelab experiment, UCS from scratch (new forest/domain) is so smooth and so much better experience than active directory, works great even with windows 11, but integrating with an already existing domain is troublesome.

Created a new UCS VM, joined the domain, it saw that the network already has a (now deleted) UCS server and gave me a warning, presumably from the ucs-sso.mydomain.local entry in the DNS, but I got the same problem after i installed the AD-takeover app. Now it’s even worse, because in “Server manager” the backup AD server now says “Kerberos security error” and does not let me login in any way. Probably when i gave it my domain admin password it changed something and I am not competent enough to solve this problem by myself.

Created a new Windows 2022 VM, it can join the domain, but 5 minutes later, using the same password, it can’t be promoted as domain controller.

I recovered the domain taking over the FSMO roles from the now “killed” server but I’m not going to try again with UCS. Unfortunately, this is a mom&pop shop with just 4 users/devices, they will never agree to pay my unskilled fee+the core license + the ticket to solve this problem properly with support. They barely agreed to pay for server 2022 essentials.

If one day i will need to create a new forest or domain, UCS is great and i will 100% use it instead of just ubuntu+samba 4

#5

It’s only troublesome if you don’t check the pre-requisites… and if you have to have a second go…
Look i have been where you are now… more than once…

me… I would have VM cloned the master server, taken it back to my home lab.
done the join, then returned to the business with a fully integrated UCS , loaded it onto the system, and the computers would have been none the wiser.

if it messed up during the transfer in my home lab, I would have just rolled back to the clean snapshotted image , made corrections and tried again.

one thing you can guarantee… if you don’t get it first time, there is no cleanup code in UCS for a retry.

Mastodon