Rejoining a UCS@school Replica Node After Accidental Removal from Domain
Problem
Unfortunately, a school replica node was accidentally and unintentionally removed from the domain. This can happen, and as a result, the command univention-check-join-status is no longer successful.
Root Cause
The computer object for the school replica is no longer present on the Primary Directory Node (the main and only writable LDAP server).
A simple univention-join does not create the computer object in the correct position for a school environment. As a result, the school replica cannot be properly joined to the domain.
This is how a school replica looks when it was simply joined:
root@ucs5primary:~/univention-support# udm computers/domaincontroller_slave list --filter cn=ucsscool-replica
cn=ucsscool-replica
DN: cn=ucsscool-replica,cn=dc,cn=computers,dc=univention,dc=intranet
It can be seen that the computer object was joined directly as a DC and is therefore not located inside a school OU.
As a result, the important and required attribute for a school server is missing:
ucsschoolRole: dc_slave_edu:school:GSN
Investigation
In the logs on the Primary Directory Node, it can be seen that the school replica was removed.
Using a simple grep command, this can be identified quickly:
zgrep -i <hostname> /var/log/univention/* | less
/var/log/univention/connector-s4.log.1.gz:2026-04-09T14:22:11.925275+02:00 PROCESS [ -] sync UCS > AD: [ dc] [ delete] 'cn=ucsscool-replica,cn=dc,cn=server,cn=computers,ou=gsn,DC=univention,DC=intranet' | pid=418409 logname=LDAP.univention.s4connector.s4 func=__init__.sync_from_ucs:2001
/var/log/univention/connector-s4.log.1.gz:2026-04-09T14:22:12.105319+02:00 PROCESS [ -] sync UCS > AD: [ dns] [ delete] 'dc=ucsscool-replica,dc=univention.intranet,cn=microsoftdns,dc=domaindnszones,DC=univention,DC=intranet' | pid=418409 logname=LDAP.univention.s4connector.s4 func=__init__.sync_from_ucs:2001
/var/log/univention/connector-s4.log.1.gz:2026-04-09T14:22:14.208941+02:00 PROCESS [ -] sync AD > UCS: [ dc] [ delete] 'cn=ucsscool-replica\nDEL:4b017771-5f35-47c3-a481-08295b8c9084,cn=dc,cn=server,cn=computers,ou=gsn,dc=univention,dc=intranet' | pid=418409 logname=LDAP.univention.s4connector func=__init__.sync_to_ucs:1376
/var/log/univention/connector-s4.log.1.gz:2026-04-09T14:22:14.209148+02:00 PROCESS [ -] sync AD > UCS: [ dc] [ delete] 'cn=ucsscool-replica\nDEL:4b017771-5f35-47c3-a481-08295b8c9084,cn=dc,cn=server,cn=computers,ou=gsn,dc=univention,dc=intranet': ignore, object to delete doesn't exists | pid=418409 logname=LDAP.univention.s4connector func=__init__.sync_to_ucs:1446
/var/log/univention/connector-s4.log.1.gz:2026-04-09T14:22:14.266925+02:00 PROCESS [ -] sync AD > UCS: [ dns] [ delete] 'relativeDomainName=ucsscool-replica\nDEL:1eb8ab50-563f-4860-adc9-19c900d40a5c,zonename=univention.intranet,cn=dns,dc=univention,dc=intranet' |
/var/log/univention/listener.log.12.gz:2026-01-21T01:04:11.575149+01:00 PROCESS updating 'cn=ucsscool-replica,cn=dc,cn=server,cn=computers,ou=GSN,dc=univention,dc=intranet' command m
/var/log/univention/listener.log.12.gz:2026-01-21T01:04:34.496009+01:00 PROCESS updating 'cn=ucsscool-replica,cn=dc,cn=server,cn=computers,ou=gsn,dc=univention,dc=intranet' command m
/var/log/univention/listener.log.1.gz:2026-04-09T14:22:06.229672+02:00 PROCESS updating 'cn=ucsscool-replica,cn=dc,cn=server,cn=computers,ou=GSN,dc=univention,dc=intranet' command d
/var/log/univention/listener.log.1.gz:Revoke certificates: ucsscool-replica.univention.intranet
/var/log/univention/listener.log.1.gz:Revoke certificates: *.ucsscool-replica.univention.intranet
/var/log/univention/listener.log.1.gz:no certificate for *.ucsscool-replica.univention.intranet registered
/var/log/univention/listener.log.1.gz:2026-04-09T14:22:08.658475+02:00 PROCESS updating 'relativeDomainName=ucsscool-replica,zoneName=univention.intranet,cn=dns,dc=univention,dc=intranet' command d
On the Primary in /var/log/univention/listener.log.1.gz:
2026-04-09T14:22:06.211997+02:00 PROCESS connecting to ldap://ucs5primary.univention.intranet:7389
2026-04-09T14:22:06.229672+02:00 PROCESS updating 'cn=ucsscool-replica,cn=dc,cn=server,cn=computers,ou=GSN,dc=univention,dc=intranet' command d
Revoke certificates: ucsscool-replica.univention.intranet
Using configuration from /etc/univention/ssl/openssl.cnf
Revoking Certificate 0B.
Database updated
Using configuration from /etc/univention/ssl/openssl.cnf
Revoke certificates: *.ucsscool-replica.univention.intranet
awk: Warnung: Escapesequenz »\*« wird wie ein normales »*« behandelt
no certificate for *.ucsscool-replica.univention.intranet registered
On the school replica, running univention-join -verbose provides the required output showing that before rejoining, the nameserver settings must be adjusted and the computer object must be recreated correctly on the Primary Directory Node:
root@ucsscool-replica:~# /usr/sbin/univention-join -verbose
univention-join: joins a computer to an ucs domain
copyright (c) 2001-2025 Univention GmbH, Germany
Enter Primary Directory Node Account : Administrator
Enter Primary Directory Node Password:
Search Primary Directory Node: done
Check Primary Directory Node: done
Stop S4-Connector: done
Stop LDAP Server: done
Stop Samba Server: done
Search ldap/base done
Start LDAP Server: done
Search LDAP binddn done
Running pre-join hook(s): done
Join Computer Account: done
Stopping univention-directory-notifier daemon: done
Stopping univention-directory-listener daemon: done
Sync ldap-backup.secret: done
Check TLS connection: done
Download host certificate: done
Restart LDAP Server: done
Sync Kerberos settings: done
Not updating kerberos/adminserver
Running pre-joinscripts hook(s): done
Configure 00ucs-school-app-version-check.inst done
Configure 00ucs-school-replica-check-ou.inst failed
**************************************************************************
* Join failed! *
* Contact your system administrator *
**************************************************************************
* Message: Please visit https://help.univention.com/t/8842 for common problems during the join and how to fix them -- FAILED: 00ucs-school-replica-check-ou.inst
From /var/log/univention/join.log of the school replica:
root@ucsscool-replica:~# less /var/log/univention/join.log
Tue Dec 5 11:55:01 CET 2023: starting /usr/sbin/univention-join -dcname ucs5primary.univention.intranet -dcaccount Administrator -dcpwd /var/cache/univention-system-setup/secret -checkPrerequisites
running version check
OK: UCS version on ucs5primary.univention.intranet is higher or equal (5.05) to the local version (5.05).
Check if /var/lib/univention-directory-replication/failed.ldif exists
Tue Dec 5 11:55:07 CET 2023: finish /usr/sbin/univention-join
Tue Dec 5 12:00:17 CET 2023: starting /usr/share/univention-join/univention-join -dcname ucs5primary.univention.intranet -dcaccount Administrator -dcpwd /tmp/tmp.6H4GxO0OZA
running version check
OK: UCS version on ucs5primary.univention.intranet is higher or equal (5.05) to the local version (5.05).
Check if /var/lib/univention-directory-replication/failed.ldif exists
Stopping slapd (via systemctl): slapd.service.
Starting slapd (via systemctl): slapd.service.
Tue Dec 5 12:00:27 CET 2023
univention-join-hooks: looking for hook type "join/pre-join" on ucs5primary.univention.intranet
Found hooks:
cn=ensure-minmum-ucs-version,cn=data,cn=univention,dc=univention,dc=intranet
Running: ensure-minmum-ucs-version (cn=ensure-minmum-ucs-version,cn=data,cn=univention,dc=univention,dc=intranet) in /tmp/tmp5ogwyb4p/tmpqeqadm__
univention-server-join: joins a server to an univention domain
copyright (c) 2001-2023 Univention GmbH, Germany
ldap_dn="cn=ucsscool-replica,cn=dc,cn=server,cn=computers,ou=GSN,dc=univention,dc=intranet"
Setting hostname
Create ldap/hostdn
Multifile: /etc/ldap/slapd.conf
Multifile: /etc/postfix/ldap.virtualwithcanonical
File: /usr/lib/univention-portal/config/config.json
Multifile: /etc/postfix/ldap.saslusermapping
Multifile: /etc/postfix/ldap.groups
File: /etc/hostname
File: /etc/pam.d/smtp
File: /etc/apache2/sso-vhost.conf.d/01redirect.conf
Multifile: /etc/postfix/ldap.sharedfolderlocal_aliases
Multifile: /etc/postfix/ldap.sharedfolderlocal
File: /etc/dhcp/dhclient.conf
Multifile: /etc/postfix/ldap.distlist
File: /etc/libnss-ldap.conf
Multifile: /etc/postfix/main.cf
File: /etc/welcome.msg
Multifile: /etc/postfix/ldap.external_aliases
Multifile: /etc/postfix/ldap.canonicalsender
Multifile: /etc/postfix/ldap.virtual_mailbox
Multifile: /etc/postfix/ldap.virtualdomains
File: /etc/issue
Multifile: /etc/postfix/ldap.virtual
Multifile: /etc/postfix/ldap.canonicalrecipient
File: /etc/mailname
Multifile: /etc/postfix/ldap.transport
File: /etc/apache2/conf-available/ucs.conf
Multifile: /etc/hosts
Multifile: /etc/apache2/sites-available/default-ssl.conf
File: /etc/pam_ldap.conf
Multifile: /etc/postfix/ldap.sharedfolderremote
Multifile: /etc/pam.d/univention-management-console
File: /etc/cron.d/univention-directory-policy
File: /etc/default/univention-directory-listener
Failed to stop univention-directory-notifier.service: Unit univention-directory-notifier.service not loaded.
Setting ldap/server/name
Setting ldap/server/ip
Not updating ldap/server/port
Create ldap/master
Create ldap/master/port
Setting ldap/server/type
Multifile: /etc/postfix/ldap.external_aliases
...skipping...
This problem may be resolved by the following action on the Primary Directory Node:
+ echo '1) Remove the Replica Directory Node computer account: '
1) Remove the Replica Directory Node computer account:
+ echo ' # udm computers/domaincontroller_slave remove "--dn=cn=ucsscool-replica,cn=dc,cn=computers,dc=univention,dc=intranet"'
# udm computers/domaincontroller_slave remove "--dn=cn=ucsscool-replica,cn=dc,cn=computers,dc=univention,dc=intranet"
+ echo '2) Create the Replica Directory Node computer account with the correct settings:'
2) Create the Replica Directory Node computer account with the correct settings:
+ echo ' # cd /usr/share/ucs-school-import/scripts/'
# cd /usr/share/ucs-school-import/scripts/
+ echo ' # ./create_ou <OU (abbreviation of school)> ucsscool-replica'
# ./create_ou <OU (abbreviation of school)> ucsscool-replica
+ echo 'Then rejoin the Replica Directory Node, after rebooting it, by running this on the Replica Directory Node:'
Then rejoin the Replica Directory Node, after rebooting it, by running this on the Replica Directory Node:
+ echo ' # ucr set nameserver1=<IP of Primary Directory Node> nameserver2= nameserver3='
# ucr set nameserver1=<IP of Primary Directory Node> nameserver2= nameserver3=
+ echo ' # univention-join -dcname <FQDN of Primary Directory Node>'
# univention-join -dcname <FQDN of Primary Directory Node>
+ exit 1
Solution
- Remove the computer object from the primary node:
udm computers/domaincontroller_slave remove "--dn=cn=ucsscool-replica,cn=dc,cn=computers,dc=univention,dc=intranet"
- Create the Replica Directory Node computer account with the correct settings:
cd /usr/share/ucs-school-import/scripts/
./create_ou GSN ucsscool-replica
- Set the correct IP address of the primary node on the school replica for
nameserver1:
ucr set nameserver1=<IP of Primary Directory Node>
- (Optional) Remove additional nameserver settings:
ucr seach --brief nameserver
ucr unset nameserver2 nameserver3
- Join the school replica into the domain:
univention-join -dcname ucs5primary.univention.intranet
Additional
If the OU for the school already exists and only the computer object was removed, the output may look like this:
root@ucs5primary:/usr/share/ucs-school-import/scripts# ./create_ou GSN ucsscool-replica
Create OU: 'GSN'
Searching for hooks of type 'Hook' in: /var/lib/ucs-school-lib/hooks...
Found hook classes:
Loaded hooks: {}.
Creating School(name='GSN', dn="'ou=GSN,dc=univention,dc=intranet'") failed (maybe it already exists?)! Trying to set it up nonetheless
Modifying School(name='GSN', dn="'ou=GSN,dc=univention,dc=intranet'")
School(name='GSN', dn="'ou=GSN,dc=univention,dc=intranet'") successfully modified
Creating Container(name='schueler', school='GSN', dn='cn=schueler,cn=users,ou=GSN,dc=univention,dc=intranet', old_dn='cn=schueler,ou=GSN,dc=univention,dc=intranet')
Creating Container(name='lehrer', school='GSN', dn='cn=lehrer,cn=users,ou=GSN,dc=univention,dc=intranet', old_dn='cn=lehrer,ou=GSN,dc=univention,dc=intranet')
...
SchoolDCSlave(name='ucsscool-replica', school='GSN', dn='cn=ucsscool-replica,cn=dc,cn=server,cn=computers,ou=GSN,dc=univention,dc=intranet') successfully created
Correct Computer Object Example
cn=ucsscool-replica
DN: cn=ucsscool-replica,cn=dc,cn=server,cn=computers,ou=GSN,dc=univention,dc=intranet
description: None
dnsEntryZoneForward: zoneName=univention.intranet,cn=dns,dc=univention,dc=intranet 10.40.10.1
dnsEntryZoneReverse: zoneName=10.40.10.in-addr.arpa,cn=dns,dc=univention,dc=intranet 10.40.10.1
domain: None
fqdn: None
groups: cn=DC Slave Hosts,cn=groups,dc=univention,dc=intranet
groups: cn=DC-Edukativnetz,cn=ucsschool,cn=groups,dc=univention,dc=intranet
groups: cn=OUgsn-DC-Edukativnetz,cn=ucsschool,cn=groups,dc=univention,dc=intranet
name: ucsscool-replica
network: None
operatingSystem: None
operatingSystemVersion: None
password: None
primaryGroup: cn=DC Slave Hosts,cn=groups,dc=univention,dc=intranet
reinstall: None
reinstalloption: None
sambaRID: 14672
serverRole: slave
shell: /bin/bash
ucsschoolRole: dc_slave_edu:school:GSN
univentionObjectIdentifier: 9fb4f6c2-2256-45f5-853b-5a878ad0e942
unixhome: /dev/null
See also: