Hello UCS community,
Is it possible to have UCS sync all DNS records from a Windows PDC? I’d expect it to already be doing this by default.
Also, how do I check the UCS server role type, I need to confirm that it’s running as a Domain Backup but can’t find the status anywhere.
Thanks,
Steve
Hey,
I’m assuming that you’ve got a UCS master joined to an AD as a member server. On UCS the Univention Directory Connector is used for syncing objects from the AD to the UCS LDAP. The connector only synchronizes users, groups and computer accounts but not anything else from the AD, especially the DNS objects.
For this to work you would have to configure the bind name server on the UCS server manually to be a slave for the zone(s) you want to synchronize. This is outside of the scope of what a UCS provides tools for (meaning you cannot configure this scenario via the Univention Management Console), but you can modify the files /etc/bind/local.conf and /etc/bind/local.conf.proxy and set up the appropriate controls for slave mode operation there. Of course the AD has to allow zone transfers from your UCS DC.
You can check the config registry variable »server/role«, either from the Univention Management Console or from the CLI with »ucr get server/role«.
You’ve said that you have a »UCS Backup«. I think you’re confusing terms here. Note that there are two sets of distinct roles: one that applies to the Active Directory Domain, one that applies to the UCS domain.
In an AD domain there are no primary/secondary/master/backup DCs. Either a server is a DC or it isn’t. All DCs are equal regarding their functionality and rights.
In a UCS domain you have exactly one (UCS-)DC master, zero or more DC backups (for purposes of converting the DC backup to the DC master should the DC master suffer a catastrophic and permanent failure; usually either no DC backup or exactly one), zero or more DC slaves (for purposes of having a local LDAP directory available close by, e.g. you could have one DC slave in a branch office connected to the main location only via a slow or unreliable connection), zero or more member servers.
The server roles in an UCS domain do not really map to the server role in an AD domain.
A UCS DC master may be an AD DC, too. Or not.
A UCS DC backup may be an AD DC, too. Or not.
It all depends on the installation mode.
For example, if you have an AD with Windows-based DCs and you join your first UCS server into such a domain then that UCS server will have to be the UCS DC master (as only the master can run the AD connector mentioned above), and that UCS DC master will not be an AD DC at all.
On the other hand, if you don’t have any Windows AD DCs then you can have your UCS DC master be an AD DC, too, as can be your UCS DC backup.
Wow, thank you for the detailed response. That clarifies a lot. I was expecting UCS to function as an Additional Domain Controller.
So basically, the UCS Master acts as exactly just that, a back-up server. And if SHTF, I basically execute AD take over which will allow the Master to function as the PDC? In that case, what would happen with the original Windows DC’s?
Thanks again.
You’re welcome.
Samba 4 (and by extension UCS) cannot function as an AD DC together with Windows-based AD DCs due to missing features in Samba 4. That’s important to know: a UCS server simply cannot be used as an additional AD DC if you have Windows-based DCs (unfortunately).
There are several use cases for using an UCS DC master in a Windows-based AD domain:
[ul][li]plain file and printing services[/li]
[li]database servers[/li]
[li]web servers[/li]
[li]provide an OpenLDAP-based authentication source for applications that expect an OpenLDAP instead of an Active Directory-structured LDAP[/li][/ul]
If you use AD takeover then the intention is always to discontinue the use of the Windows AD DCs and use the UCS DCs instead for both the UCS domain and the AD domain. You must really shut down the original Windows DCs in such a case, otherwise the domain data stored on the two types of DCs will diverge quickly. Hilarity will surely ensue like clients sometimes being able to authenticate and other times not depending on which DC answers first etc.
Hi Moritz,
I’ve devised a migration plan. It is to set UCS master as a slave and then merge the DNS records into the default domain zone on UCS. “domain.com”. Following that, I can execute the take over.
So far I’ve deleted the default domain zone on UCS and have setup UCS as a slave.
Now I’ve got all of the records which I can merge. Trouble is, to create the slave zone I had to delete the original UCS domain zone. Will there be any issues with running UCS as a domain controller without those original records?
A UCS domain uses and requires a lot of special DNS entries, just like an AD. These are used for looking up special services like the central LDAP server (SRV record _ldap.$yourdomain) etc. If those are missing then chances are your UCS domain is permanently hosed. For me there are 24 SRV records alone, and that’s not counting additional records like TXT ones.
If you don’t have a backup of that zone data then I’d suggest you re-install the UCS server as the impact the absence of those entries will cause cannot be estimated.
I ended up executing the domain re-join function, which restored the original records but resolution still wasn’t working.
So then I re-built the server which is now functioning fine. I also injected all of the DNS records from MS AD using a JavaScript which a colleague developed. I can post details here if anyone would like.
Now that all of the records are inserted, would it be safe to assume that it’s okay to execute the take over? My main concerns were really just domain authentication, users, groups and DNS records. Policies aren’t a concern.
I would say yes. Please read the takeover documentation carefully, especially the »Preparation« section. I stronly advise to create full backups of both the AD DC and your UCS server now before you start the process so that you can roll back both sides in case of failure.
I’m ready to go ahead, with just one final question plaguing me, what’s considered the best practice for migrating Windows DHCP over to Univention/Linux? We have quite a large number of reservations that need to be migrated across.
I can’t find anything regarding the above in the Univention manual.
Thanks !
Currently, we don’t have any documentation about the DHCP migration. We have a script tool udm which can create the DHCP objects but you can also create the objects via the web interface.
Maybe that is a good starting point: docs.software-univention.de/manu … entral:udm