How is the "Replica Directory Node" supposed to function?

UCS - Univention Corporate Server
#1

So I have a primary domain, that works.

Then during install of the second site I use the 5.0 ISO , I select " REPLICA DIRECTORY NODE", go through the setup and the Backup binds to the primary successfully

I see the link, between the two servers & if i go into teh APP center at either end i can see the sites for installation

so basically at the “remote site” :

  1. set the client DNS server to the REPLICA, so it can find the services

and if i issue a “DIG” against the DNS I see it is resolving correctly, to both the Primary site & the replica.

However if I try to BIND the client to the domain via the REPLICA site, it cannot work.

  1. Do i have to load any AD software onto the replica?
  2. Do I need to install “Active Directory Compatible Domain Controller” onto the “REPLICA DIRECTORY NODE”?

This would be to allow the clients can authenticate to this server , if the primary is off line
& the NAS can access the READ-ONLY LDAP records locally?

#2

Hello i have the same question, I have setup a replica I am confused about being unable to bind to the replica, and I assume one needs to install samba in some way in order to also get samba running and replicate the sysvol - this is not automatically setup when you choose to configure the new install as a replica of an existing UCS domain.

Does anyone have more info? I am reading through various docs but nothing is clear about the exact function of the replica and how to make it allow bind/auth against it

#3

Moin,

in general

UCS systems with the role Replica Directory Node have a complete read-only copy of the domain database.

with the main use case:

Replica Directory Nodes are ideally suited as dedicated systems for load intensive services with permanent read operations to the domain database because the read operations run locally instead of across the computer network.

Source: 3.3. Role concept — Univention Corporate Server Architecture 5.0

Any UCS server on it’s own is not able to work as an Active Directory Compatible Domain Controller, so the eponymous app has to be installed in every server that should provide that functionality, more on that here: 9.1. Operation of a Samba domain based on Active Directory — Univention Corporate Server - Manual for users and administrators (there you can also find more information about the synchronization of the SYSVOL share).
The process to join a Windows client afterwards is described here: 3.1. Joining domains — Univention Corporate Server - Manual for users and administrators

The UCS systems will then replicate their own openLDPA based LDAP and synchronize that with the Samba LDAP on every server where the app is installed.

Best regards
Jan-Luca

#4

it’s far better to use a “backup” server, the replica ,even with the AD software ,totally fails to work reliably when in a distributed site with multiple subnets.

it seems certain processes continue to insist that tehy can use it as a R/W replica, even if you follow the requirement to mark it as r/O before installation.

Mastodon