Hello, i currently have a Active Directory that is handled via a Synology NAS that acts both as a DNS Server and Active Directory DC.
It was planed to have the UCS run in a VM and take over the Domain Controller role of the Synology DC, but I have been unable to integrate the UCS as even a simple Domain Member.
The UCS has internet access and is able to reach the Domain itself.
The Synology NAS also displays a successful authentication, when a join attempt is made.
The UCS though displays the error-message that it “Could not fulfill the request”.
Using the command: tail -f /var/log/univention/* inside the UCS VM, i was able to get the following log excerpts that occur when i try to authenticate the UCS:
==> /var/log/univention/config-registry.replog <==
2025-11-13 10:02:40: set nameserver1=192.168.57.1 old:192.168.57.1
2025-11-13 10:02:40: set kerberos/defaults/dns_lookup_kdc=true old:true
2025-11-13 10:02:40: set hosts/static/192.168.57.1=controller-name.test.domain-name. de old:controller-name.test.domain-name. de
2025-11-13 10:02:41: set nameserver1=192.168.57.1 old:192.168.57.1
2025-11-13 10:02:41: set kerberos/defaults/dns_lookup_kdc=true old:true
2025-11-13 10:02:41: set hosts/static/192.168.57.1=controller-name.test.domain-name. de old:controller-name.test.domain-name.de
==> /var/log/univention/management-console-module-setup.log <==
13.11.25 10:02:40.530 MODULE ( PROCESS ) : Received request ‘setup/check/join_info’: (‘systemsetup’, ‘wizard’, None, ‘de_DE.UTF-8’)
13.11.25 10:02:40.531 MODULE ( PROCESS ) : Lookup ADDS DC
13.11.25 10:02:40.531 MODULE ( PROCESS ) : running [‘dig’, ‘@192.168.57.1’, ‘controller-name.test.domain-name. de’, ‘+short’, ‘+nocookie’]
13.11.25 10:02:40.558 MODULE ( PROCESS ) : stdout: 192.168.57.1
13.11.25 10:02:40.558 MODULE ( PROCESS ) : stderr:
13.11.25 10:02:40.563 MODULE ( PROCESS ) : running [‘dig’, ‘@192.168.57.1’, ‘+nocookie’]
13.11.25 10:02:40.592 MODULE ( PROCESS ) : stdout:
; <<>> DiG 9.18.33-1~deb12u2A~5.2.0.202501301650-Univention <<>> @192.168.57.1 +nocookie
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65297
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 23374 IN NS h.root-servers. net.
. 23374 IN NS d.root-servers. net.
. 23374 IN NS k.root-servers. net.
. 23374 IN NS b.root-servers. net.
. 23374 IN NS g.root-servers. net.
. 23374 IN NS a.root-servers. net.
. 23374 IN NS j.root-servers. net.
. 23374 IN NS e.root-servers. net.
. 23374 IN NS i.root-servers. net.
. 23374 IN NS l.root-servers. net.
. 23374 IN NS m.root-servers. net.
. 23374 IN NS f.root-servers. net.
. 23374 IN NS c.root-servers. net.
;; Query time: 0 msec
;; SERVER: 192.168.57.1#53(192.168.57.1) (UDP)
;; WHEN: Thu Nov 13 10:02:40 CET 2025
;; MSG SIZE rcvd: 251
13.11.25 10:02:40.592 MODULE ( PROCESS ) : stderr:
13.11.25 10:02:40.601 MODULE ( PROCESS ) : AD Info: {‘Forest’: ‘test.domain-name. de’, ‘Domain’: ‘test.domain-name. de’, ‘Netbios Domain’: ‘TEST’, ‘DC DNS Name’: ‘controller-name.test.domain-name. de’, ‘DC Netbios Name’: ‘controller-name’, ‘Server Site’: ‘Default-First-Site-Name’, ‘Client Site’: ‘Default-First-Site-Name’, ‘LDAP Base’: ‘DC=test,DC=domain-name,DC=de’, ‘DC IP’: ‘192.168.57.1’}
13.11.25 10:02:40.732 MODULE ( PROCESS ) : Synchronizing time to controller-name.test.domain-name. de
13.11.25 10:02:40.744 MODULE ( PROCESS ) : Time difference is less than 180 seconds, skipping reset of local time
13.11.25 10:02:40.815 MODULE ( PROCESS ) : Prepare Kerberos UCR settings
13.11.25 10:02:40.815 MODULE ( PROCESS ) : Setting UCR variables: [‘kerberos/defaults/dns_lookup_kdc=true’]
13.11.25 10:02:40.885 MODULE ( PROCESS ) : Unsetting UCR variables: [‘kerberos/kdc’, ‘kerberos/kpasswdserver’, ‘kerberos/adminserver’]
13.11.25 10:02:40.893 MODULE ( PROCESS ) : Setting UCR variables: [‘hosts/static/192.168.57.1=controller-name.test.domain-name. de’]
13.11.25 10:02:41.002 MODULE ( ERROR ) : kdestroy failed:
kdestroy: krb5_cc_destroy: Did not find a plugin for ccache_ops
13.11.25 10:02:41.006 MODULE ( ERROR ) : kinit failed:
kinit: krb5_parse_name_flags: part after realm in principal name
13.11.25 10:02:41.321 MODULE ( ERROR ) : The connection to the Active Directory Server was refused. Please check the password.: None
From the looks of it, there seems to be a problem with the Kerberos, but i have no idea how to fix this or why it occurred, as this was a completely fresh install.
The following commands where also used to check for possible issues with the DNS itself, but resulted all in positive results:
nslookup -type=SRV _ldap._tcp.dc._msdcs.test.domain-name.de
nslookup -type=SRV _kerberos._tcp.dc._msdcs.test.domain-name.de
nslookup -type=SRV _ldap._tcp.gc._msdcs.test.domain-name.de
nslookup -type=SRV _ldap._tcp.pdc._msdcs.test.domain-name.de
nslookup -type=SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.test.domain-name.de
Does somebody know what is the issue here and how this could be fixed?
Thanks in advance.