Joining UCS to Active Directory - is the UCS Server a Domain controller?

phatair · June 4, 2020, 9:50am

Hello,
i’m very new to UCS and we want to implement Wekan Software.
This Software is avaiable as a vmware appliance based on UCS.

If we run the UCS appliance the first time, we want to add this ucs server to our domain to allow users to access wekan software with there AD Accounts.

I configrued the UCS Settings and set the AD FQDN, AD User and Passwort and thats working fine. But on the last screen to accept these settings there is the information the the server will get the DC Master role.

I dont wan to set the UCS Server as a domain controller. This Server should be a normal member server of our domain.

Did i misunderstood something? I we join this UCS to your domain - will this server a Domain Controller or a normal member server?

Thanks for help.
best regards.

externa1 · June 4, 2020, 10:19am

No the DC Master role is not ment to be AD DC - it’s LDAP DC Master (if you are adding an additional UCS the first one will act as LDAP Master for the additional UCS Server)
UCS is only member of your AD Domain with read only access to your AD Users

rg
Christian

phatair · June 7, 2020, 9:54am

Thanks Christian,

Just one more question.
Is UCS always syncing the ad objects into the ucs ldap server or only if we use the ad connector from the app store?

We want to use at the moment only wekan for internal testing and its enough that we have a ldap binding to our ad to use ad logins for wekan login.

Is for this scenario the sync from the ad to the openLDAP on ucs necessary? Are ucs apps always using the objects from the ucs OpenLDAP and not directly from the ad?

Thanks and best regards,
Steffen

externa1 · June 7, 2020, 4:37pm

I do not have this scenario to be sure, but if you add your UCS Server (joining MS AD) i think you’ll get the AD-Connector installed automatically for this - and you have to decide if you want only readonly connection or bidirectional sync of ad and ldap. with readonly you’ll get your ad user to your UCS ldap domain - and there you have the user accounts for the ucs apps

hope thats really correct and helps you

but i would prefer to test this in a test lab (on vmware or proxmox virtual environment) to be sure and learn about the functionalities in front of doing that in production environment.

rg
Christian

phatair · June 8, 2020, 6:06am

Thank you.
I’m just asking, because the UCS Installer wants a User for the domain join that is member of the domain Administrator group. That is not necessary if UCS is only read in the AD. i dont want a server/applicaton that has write permission in our AD.

If i use a user for the UCS domain join that has the right to do this, i got the message that this user should be in the domain admin group.

I dont have a test lab with a separate domain/domain controller.

vcfhr · July 20, 2021, 5:33pm

No fear, It works great, will show in Windows Server as domain member, will read only and allow Ad logins, will not write - have used Wekan in UCs for 2-3 years now. It is read only unless you use AD takeover