Can UCS be Secondary DC from AZURE VM?


#1

Hy there,

Can univention server added to a windows server virtual machine Domain controller that exist in azure and have a vpn to work as local server?
The main goal is to have a fault tolerance authentication server when the internet connection fails for example.

Thanks


#2

Hi,

if I got your right you want to join a UCS server to an Active Directory, located on a Windows DC in Microsofts Azure Cloud - right?
It should be possible to join the UCS system in member mode via VPN - althought I am not aware of other equal customer scenarios.

I would be glad if you could give me some feedback here!

Regards,
Tim Petersen


#3

Just for clarification: It is currently not possible to join an UCS System as a second Active Directory Domaincontroller to an existing Microsoft Active Directory. The member mode joins the UCS system as a memberserver and synchronizes its LDAP with the Active Directory.


#4

I will try in esxi…

My question is if the ucs acting as member will do autheticantion function when the primary domain isn’t avaiable…

what commands i can run to test if the authentication/passwords are sync in ucs ?


#5

So if i understand, what i want isn’t possible.
With any version of windows server? Zentyal for instance say they can do that with until windows 2008 r2, ucs can’t do it?


#6

I misunderstood, sorry for that.

The UCS system in default member mode will pass through password requests to the Active Directory Domain Controller. If its not online, the auth with AD users will fail.
It is possible to use a password service at the Windows Domain Controller. Password Hashes will be wrote back to UCS LDAP then. Then it depends to the service - auth requests will be possible via ldap bind then, for example. It will not replace logon services or things like that!

The member mode is ideal for expanding an AD domain with applications that are available on the UCS platform. Apps installed on the UCS platform can then be used by the users of the AD domain. The authentication is still performed against native Microsoft AD domain controllers.

A complete Active Directory setup with multiple Domaincontrollers is only possible if all systems (at least the primary domain controller) are UCS systems.

Regards,
Tim Petersen


#7

I’m now blocked in the password sync, i don’t know how to do “After the installation the replication of password hashes has to be activated.”
I install the service and everything but the passwords sync isn’t working…

I only need a box that can do authentication when the primary domain is down, that should be < 2% of the time…

Zentyal announce they can do that, but only until 2008r2 server, and our vm in azure is 2012r2, and even more important, ucs is better than zentyal in my opinion.

So @Petersen if i understand and to close the thread, that can’t be done, ucs can’t be configure to allow users login to computers if the primary domain isn’t avaiable, they will always get the “no logon server available”


#8

[quote=“codedmind”]
So @Petersen if i understand and to close the thread, that can’t be done, ucs can’t be configure to allow users login to computers if the primary domain isn’t avaiable, they will always get the “no logon server available”[/quote]

UCS can’t be joined as Backup DC to a native Active Directory, because this is currently not supported completely by samba (sysvol repl, etc.) - that’s why this is not in our focus at the moment.


#9

Ok i managed it with zentyal.

Scenario
windows server 2008r2 as PDC
zentyal 4.1 as SDC

Add win7 computer to domain, reboot computer!
Disable windows server 2008r2 ethernet network
Turn on win7 computer, login with user from ad for the first time.
confirm that he logon server is the zentyal server!

so this is possible with samba… i must go with zentyal to solve my problem.
Thanks again @Petersen


#10

Hi CodeMind, just to be sured I understand your last post. Using zentyal you could have a second “Active Directory Domain Controller”, is that correct?


#11

Hello, yes.

I don’t pass it to prodution with zentyal, but with zentyal i have manage that


#12

Hey, just want to double check that UCS DC cannot be added as a new DC to an existing Windows based AD. It was my understanding that UCS provides directory services implemented in Samba. This page wiki.samba.org/index.php/Join_a … _Directory says that Samba DC can work as an additional DC for Windows Active Directory. Why then UCS can’t do the same?


#13

The statement of Petersen - who was member of the Univention support team at the time of writing - mentioned that one of the reasons is the lack of functionality in Samba, especially referring to Sysvol Replication.
The linked Samba-Wiki SYSVOL replication stiil states:

So I would conclude that there is no change.