Looking for Advice on Univention Deployment and Best Practices

UCS - Univention Corporate Server
#1

Hey everyone,

I am currently working on a project that involves deploying Univention Corporate Server (UCS), and I am pretty new to the platform. I’d love to get some advice or suggestions from those who have experience with it. Specifically, I am trying to figure out:

  1. Best practices for deploying UCS in a small to mid-sized environment.
  2. Any tips for integrating UCS with other systems like Microsoft AD or cloud services.
  3. Security configurations you recommend out of the box.
  4. Any useful tools or add-ons that I should know about to enhance the experience.

And for the same I have been through these articles/resources UCS Installation and Commissioning – A Step by Step Guide Salesforce CPQ Interview Questions that are quite informative. But I would love to hear more from the community members.

Would love to hear about any gotchas, lessons learned, or tools you’ve found useful while working with UCS! Thanks in advance for your help!

Cheers.

#2

Hi @henryclark,

After good few months on this forum and working with UCS in my domain I must say that post covering all four points would be almost a holly grail :wink:

There’s lots of information within this forum; yes, scattered and fragmented but covers a lot of what you will need. Search first before you ask, sometimes it takes awfully long to get an answer from forum members.

To answer some of your questions:

  1. Play with the installer, don’t install and assume it is all fine.
  2. Plan storage (LVM configuration) much easier to do this before you have a deployed controller in a domain.
  3. Plan your network (incl vlans, IP etc)
  4. Look at Certificate Authority settings BEFORE you deploy any certificates to the network.
  5. Register your server (get the licence) before trying to install any software, this will actually make the App centre operational.
  6. If you are planning on running a Windows compatible AD remember to install “Active Directory-compatible Domain Controller” which is NOT ON by default (and has to be on all member servers)
  7. If you need certificates for users/devices install Cool Solutions repo and the univention-usercert app
  8. If you intend to run your own mail server (even an internal one) make sure to check/correct SSL/TLS and protocol settings.
  9. Consider compatibility… We recently discovered that our network hardware vendor (spit!) has dropped OpenLDAP functionality in some of its products. This was never supported but it worked. You can’t use the protocol any more and there’s no credible communication from the vendor. (Windows ADDS support only)
  10. Document all that you do… it is a real minefield if you start mixing Linux command line, UCR and GUI. Some things are configurable here, there and everywhere; stick to one :wink:

Another thing, don’t try to be clever and start your domain name with numbers eg.: 1337lab.lan
Although this is acceptable and will work, you will get places (in Windows especially) that will only show lab.lan confusing things for everyone. I think this is down to kerberos, and once it’s deployed, there’s no way of changing it.

I won’t go into detail of using RSATs, user naming convention, installing printers or configuring shares, but those are things worth considering too.

Finally, be aware that the UCS 5.2 is around the corner - check compatibility and migrate early (read this)

Hope this helps
dzidek23

PS. Think of adding links to found resources into this post, for others who come and ask the same questions.

Mastodon