Clarifying UCS System Roles


#1

Could someone clarify a point for me regarding UCS roles? Are Domain Controller Backup and/or Domain Controller Slave roles able to authenticate workstation login requests?

Our network has a Master DC in one location and a Backup and a Slave in a separate location. The sites are linked with a site to site VPN. Windows 7 workstation clients at the remote site can join the domain, but users cannot login. (They get the error message: “there are currently no logon servers available to service the logon request”).

I’ve tried adjusting the DNS servers provided by DHCP to each local UCS role but get the same error. Setting the DNS server to the Master DC does not work either - maybe related to a very slow ping across the VPN?(~350ms))

Not really sure how else to troubleshoot this.

Thanks

Site A
Gateway & DHCP (10.1.1.1)
Master DC (10.1.1.2)

Site B
Gateway & DHCP (10.1.2.1)
Backup (10.1.2.2)
Slave (10.1.2.3)


#2

Hey,

you have to differentiate between the UCS domains and Windows domains. Both domain types use similar terms but with different meaning.

A UCS domain consists of the LDAP servers. If you’re running a pure Linux/Unix domain then those LDAP servers are enough for authentication. The role of »UCS Domain Controller Backup« refers to this LDAP domain. It means, among other things, that the UCS DC backup containts an always up-to-date copy of the whole LDAP tree and all other domain-related data (e.g. the SSL certificates). Additionally a DC backup can be converted to a DC master manually should the DC master suffer a fatal error (e.g. total hardware failure).

A UCS Domain Controller Slave, on the other hand, only contains a sub-set of the whole domain data (e.g. not the SSL certificates). A UCS DC slave can obviously not be converted to UCS DC master.

None of this has anything to with a Windows domain yet. An Active Directory Windows domain only knows »Domain Controllers« and does not differentiate between master and slave AD DCs (unlike an NT domain). All Active Directory Domain Controllers are equal.

The important thing to know is that a UCS Domain Controller (no matter which role) does NOT automatically offer Windows Domain services. It only does if Samba v3 or v4 is installed on that server (keep in mind that for an Active Domain style Domain Controller you need Samba v4).

So in order to answer your question: your UCS DC Backup and UCS DC Slave will only be able to offer Windows Domain services if Samba is installed, too. Judging from your description I’d guess that you either do not have Samba installed or only Samba v3 and that you’re using an Active Directory style Windows Domain.

A Samba server installed on a UCS DC Backup/Slave will of course use the LDAP directory installed on the same server. That’s one of the advantages of running UCS DC Backup/Slave in remote locations.

So the typical use case is to have both the UCS DC master and UCS DC backup in the same location (e.g. the main office) and use UCS DC slave in remote locations (e.g. branch offices).

See the UCS Administration Manual section 3.3 »UCS system roles« and following.


#3

Hi Moritz

Thanks for the detailed explanation. I’d read through the system role descriptions, but wasn’t aware of the difference between UCS and Windows domains.

Just to make sure I have this right - to run windows client logins against the remote slave server, I’d need to install the ‘Active Directory-compatible Domain Controller’ app on the remote slave?

Thanks again


#4

You’re weclome.

Assuming your domain is an Active Directory one (which it most likely is) and not a Windows-NT-style one: yes, exactly.


#5

[quote=“tomtomnz”]Just to make sure I have this right - to run windows client logins against the remote slave server, I’d need to install the ‘Active Directory-compatible Domain Controller’ app on the remote slave?
[/quote]

Another hint, it is required to install the app ‘Active Directory-compatible Domain Controller’ on a DC master or a DC backup. It is not sufficient to install it on a DC slave only.