Recommendation for UCS based AD Servers

UCS - Univention Corporate Server
#1

Just wondering on what the recommendation is for Installing the Windows AD Domain Controller on UCS.
We currently have 1 Master, 1 Backup and 1 Slave UCS Domain Controller, we are looking at installing the Windows Active Directory Compatible Domain Controller to act as our New Windows Domain Controller, and adding our Windows 7 & Windows 10 Workstations to the Windows Domain on the UCS.

We have a question as to where we should land the Active Directory App, Is it recommended that it be installed on ALL UCS DCs (Master, Backup and Slaves but not Members of course)? or just installed on the Master and Backup UCS DCs ?, or should it ONLY be installed on the MASTER UCS DC? Just wondering what is recommended or best practice.

We have only right now UCS DCs on the network, but would like to add a Windows AD so we can move off of a Windows Workgroup on our Windows systems.

Thanks,

#2

Hello Mr. Bonnel,
There is no general answer to this but as a rule of thumb: that depends a little on the number of clients you want to connect to the domain. If you connect only a few clients then you would only need to install the AD App on the master.

Best regards,
Jens Thorp-Hansen

#3

Thanks Jens,

Here is a little background. We have 5 sites. There is a VPN between all of the sites.

Site 0 has the 5 Windows Based workstations for staff which are currently in a workgroup only. There are NO Windows/Linux/UCS servers at this site yet. (Planned at some point, but none currently)

Site 1 has our UCS Master DC and UCS Backup DC, also has several Turnkey/Vendor Application Appliances and Linux database servers.

Sites 2 , 3 and 4 have a Single UCS Slave DC in each site, plus there are various Windows Application servers, Linux Applications Servers, several UCS Member Servers acting as application servers and two UCS General purpose file servers spread across sites 2 ,3 and 4.

I would like to migrate from a Windows work-group to a single Windows Domain for the Windows Application Servers and Workstations. I am wondering if I need to install the Windows Active Directory Compatible Domain Controller at each UCS DC or just on the Master and Backup DCs.

#4

Mr. Bonnel,
Thank you for the clarification, based on this I can recommend the following:

Install the Windows Active Directory Compatible Domain Controller at Site1 on the UCS Master and Backup then at Site0 install another Backup DC as the primary authentification server for this site. The clients/server at site0 can authenticate against the on-site DC and if that fails, can authenticate against the off-side Site1 DC.

Edit: We just discussed this in our support department and want to expand and clarify further on this.
–> If you have NT controllers on any master, backup or slave you need to install the Windows Active Directory Compatible Domain Controller (Samba 4) there. If an backup or slave is not using Samba at the moment, you do not need to install Samba.

Here are some informations that expand on the issue of Samba 3 / Samba 4, that may help further: wiki.univention.de/index.php?tit … to_Samba_4

Best regards,
Jens Thorp-Hansen

Mastodon