SBS 2011 vs UCS4.3 vs Windows 10 issues

UCS - Univention Corporate Server
#1

Hiya,
after the installation of a new UCS 4.3 system - as member of an existing SBS 2011 (2008 R2) AD-Infrastructure, I am running into the following issues:

  1. After install, Windows 10 Clients were not able to use resources on the Windows SBS Server.
    Cause: Clients get IP Address from UCS DHCP Server. Primary DNS Address is the UCS Server. The UCS DNS Server did not have any records fro the Windows AD controller!
    Resolution: Added DNS A and PTR records to correpsonding DNS zones on UCS server.

  2. Logon: As of the installation of the UCS Server, Windows 10 Clients will not automatically offer to log on to their domain.
    Cause: Unknown
    Workaround: Users need to click on “Log on as a different user”. Only then the domain is being offered / entered again and resources (Home Drive etc) are being mapped.
    Resolution: I changed the LDAP and Kerberos entries on the forward lookup zone to match those as shown below after “What bothers me”, topic 2. A restart of one of the Windows Clients showed immediate result: Clean login, all resources immediately available.

  3. Netlogon not visible / readable anymore for normal users. After logon, resources might be missing. Trying to execute the loginscript in Netlogon fails on BOTH servers (Windows and UCS). Upon openening Netlogon, Windows 10 will ask for credentials. Domain Users will not be granted access, only Domain Admins can access the loginscript.bat. Share- and File access rights have been set / changed - all to no avail.
    Cause: Unknown
    Workaround: This seems to be connected with the faulty DNS entries under 2

What bothers me:

  1. According to the manual, Samba4 should be installed (automatically?). It isn’t. AD connector is running and shows no errors.
  2. The actual Windows DC was not entered as a DNS record on UCS during install. (Manually corrected)
  3. Web-Interface DNS shows SRV records (Kerberos etc) - all pointing towards the UCS server.
    "host -al domain.local | grep “SRV” shows SRV records … all pointing towards the Windows SBS server.
    I am not sure, this is wanted behaviour on a clean, new setup. This apparently caused massive login / auth issues, as apparently the LDAP / Kerberos SRV entries point towards the UCS server now
  4. Despite all the issues above: I can log on to the UCS Server using the Domain-Admin credentials. Users are also able to use the resources offered by the UCS server (Fileshares).

Am I missing something?

Cheers
JK

Mastodon