Hello everyone,
Our company is looking into migrating from Active Directory (AD) to Univention Corporate Server (UCS). We have around 500 employees across several offices. Currently, we use AD and Keycloak for some services, as well as AD + Entra for Microsoft services and some other integrations. My main question is whether it’s possible to achieve a 1:1 replacement of our current AD environment with UCS.
We need to keep these offices separated within the directory structure — would using separate Organizational Units (OUs) be the best approach for this, or is there a smarter or more efficient way to handle office separation in UCS?
I’ve already tried both the AD Connection and AD Takeover apps, and they look quite promising. However, I’ve encountered a few challenges that I haven’t been able to resolve yet:
- OU-specific administration:
Is it possible to assign administrators to manage only one OU (office) without granting them access or visibility to other OUs? I’ve tried creating a UMC policy with an LDAP filter, but I couldn’t get it to work as intended.
- Trust relationships between UCS domains:
Is it possible to establish a trust relationship between two UCS servers with different domains? The plan is to have one UCS instance for our Croatian offices and another one for our German office with different domains.
- Integration with Keycloak and Entra ID:
We currently use Keycloak and Entra ID for authentication. What would be the best approach going forward. To migrate our existing Keycloak setup to the UCS-integrated Keycloak app, or to keep using the external one?
Also, how well does the Microsoft 365 Connector app work in practice? Is it a reliable replacement for a traditional AD + Entra setup?
Any advice, best practices, or documentation references would be greatly appreciated. Thanks in advance for your help.
Just a word to the wise…
DO NOT run the connection & takeover apps against a live system.(until you have fully tested in a lab)
they make changes to the AD structure ,that they don’t tell you about.
also cancel will not clean up these changes.
so if you progress thru the various stages, before pressing the “final” button, changes have already been made.
basically the best way before doing the migration , is take a live snapshot of your system… throw it onto an isolated VM network
snapshot it, then run UCS migrate against it.
if it works , then you are in good stead. if not you just saved yourself a big clean up.
as regards the 1:1 … no…
MS have some “web based” services running on their own AD systems that cannot run on UCS yet , so any tool that requires these services, won’t work after you strip the windows AD out.
also all the management tools require to run against the AD are still on windows.
- yes it is possible to do “trust” domains, against different domains… but it is long winded and requires some hands on, possibly some scripts on the underlying linux.
been using UCS for over 10 years for small companies for AD & security…
I like it, but it is not perfect…
Yeah, I should have mentioned I was doing all of this in a VM environment 
Our current setup is quite robust and stable, so a full migration to UCS would probably introduce a lot of unexpected issues. I keep seeing that UCS tends to work fine for smaller companies like you said. In our case, we’re a bit larger, with multiple offices (some operating as separate subsidiaries in different cities). For now, I’m just testing different scenarios to understand the limits and see how scalable UCS really is, and whether it can handle a setup of that size.
Do you maybe have more details on the trust domains part, or could you point me to some documentation or examples? I only found references about trust relationships between UCS and AD, not between two UCS domains.
they have it all in the extensive setup documentation.
I’d not worry about the different cities,
i’m running across countries… and it is stable
Is this something I just missed or is this some kind of extra paid service?
Yep… i don’t read documentation either…
its free…
a number of massive pdf’s, some place in this website.
You got me intrigued, it’s not this documentation you are talking about?