UCS 5.0 Fresh Install Fails to Join Existing Active Directory Domain

Hello everyone,

I’ve installed a fresh copy of UCS 5.0 (ISO) as a virtual machine on a new Synology NAS (RS2821RP+). The install completed successfully and without any errors. After the reboot I accessed the server via Google Chrome (Version 100.0.4896.127 (Official Build) (64-bit)) to complete the setup. I was able to choose my language and location settings, set up the static IP and then choose the option to join into an existing Microsoft Active Directory domain. The address of the domain controller and Username were prefilled with the correct info so I only had to type the Administrator password. When I click the next button I received an error.

An error occurred
Could not fulfill the request.
Server error message:
The connection to the Active Directory server was refused. Please recheck the password.

I was very careful to check my typing of the password and have even typed it in Notepad to copy and paste it into the password field.

I have also successfully joined client machines to this domain using the very same Administrator account and password.

As a workaround I created a new domain user and delegated control to join computers to the domain. Then I used this account to try and join the UCS server to the domain. This failed in the same way as the Administrator account.

On another attempt I checked the Google Chrome console and saw that there were several errors with status 408 (Request Timeout) and one of status 400 (Bad Request).

I also attempted to access the server and complete the setup using Mozilla Firefox (99.0.1 (64-bit)) to see if there was a problem with Chromium based browsers but I experienced the exact same issue as on Google Chrome.- Here is the output of the console during this attempt (The obfuscated line represents the FQDN of the server, abc-nas1.ad.org.com).

I’m not entirely certain where to go from here so I’m looking for some help from the community to see if I can be pointed in the right direction.

Thanks to anyone who reads this and can provide any assistance.

Here is some extra info that may help to understand the environment and possibly provide some clues:

Network

Currently using Ubiquiti UniFi security gateway and switches. Some VLANS have been created to separate devices but there are currently no firewall rules that would block traffic (Ubiquiti allows inter-VLAN traffic by default).

Server Network
Subnet: 10.1.10.0/24
VLAN: 10

Workstation Network
Subnet: 10.1.20.0/24
VLAN: 20
DHCP: DHCP Relay to 10.1.10.2

Domain
Synology Directory Server (Equivalent to Microsoft Windows Server 2008 R2)
Domain Name: ad(dot)org(dot)com
NetBIOS Name: org

Domain Controller
Synology NAS RS2821RP+ Running DSM 7.1
FQDN: abc-nas1(dot)ad(dot)org(dot)com
IP Address: 10.1.10.2/24 (Static)
Gateway: 10.1.10.1
VLAN: 10

UCS Server
Synology Virtual Machine (2 CPU Cores, 4 GB RAM)
FQDN: Was not asked for a hostname or domain during setup. Attempted manual hostname change to abc-ucs1 by editing /etc/hostname, /etc/hosts, and using hostnamectl set-hostname then rebooting.
IP Address: 10.1.10.4/24 (Static)
Gateway: 10.1.10.1
DNS 1: 10.1.10.2
DNS 2: 10.2.10.2 (A secondary NAS that hasn’t been configured yet)
VLAN: 10

Workstation
HP ProBook 650 G8
FQDN: ProBook-ABCDEF(dot)ad(dot)org(dot)com
IP Address: 10.1.20.123/24 (DHCP)
Gateway: 10.1.20.1
DNS 1: 10.1.10.2
DNS 2: 10.2.10.2 (A secondary NAS that hasn’t been configured yet)
VLAN: 20

Hi everyone, I have some more info to share.

I tested by installing UCS 4.4 in a VM and I’ve encountered the same issue with the password. The issue seems to be more likely on the Synology end. I’ll do some more research and report back later.

Hi everyone, I’ve confirmed the issue based on the Synology Directory Server manual.

The Compatibility and Limitations section lists the following limitation:

Synology Directory Server supports a single domain and a single domain controller only

Therefore I have switched away from using the Synology Directory Server in favour of running a full UCS Primary Directory Node in a VM.

Have a great day!

Their AD integration is broken… and in some cases to fix it or security issues you need to update every package on your NAS… at which point many become unsupported.

I would recommend that anyone thinking of using synology or getting ready to replace equipment DOES NOT.

They are continually removing functionality every software revision & now are requiring licensing for the most basic of items.

Air gapping is also becoming impossible, the NAS requires a permanent connection to the internet, to “validate” package licences.

I get a different error. I submitted the error message during the install.

It seems the installer can’t find SAMBA package error = package does not exist.

Has anyone successfully joined an existing Active Directory at installation time?

A few things to note:
After the installation, logging into UCS web interface > app center, I’m not able to find Windows Member.
Also /etc/samba/smb.conf had defualt info like workgroup = WORKGROUP.

I was able to get UCS to join Active Directory on a second attempt (during the installation process via “try again”).

For some reason, not all users were synced with UCS. For the users that were synced, not all attributes were synced, most importantly email field was not.

I want to join UCS and use Google Sync for the users.

Does anyone have success running UCS with Active Directory being the primary directory?

In the registry, I found “connector/ad/mapping/container/ignorelist” which had “mail,kerberos” listed. I removed mail as I want it to sync, but even after disable/enable sync + reboot, email attribute still won’t sync.

Did you configure the email domain in UCS ? if not all users with email addresses wont be synced

Thank you @externa1, where do I find the setting for email domain? I don’t see it in the registry.

I found where to add an email domain (domain > mail > new domain), but the attribute still won’t sync.

yes thats the right place - domain-mail-new-domain - add there your eimail domain (which is assigned to the existing users e.g. mycompany.com)

rg
Christian

Thank you, I went into active directory, rmoved the email address, saved, then added it back. Now it shows in UCS. Now it’s time to try Google Sync/Auth!

Cheers @externa1!

Well I stupidly locked myself out of my Google Workspace

For the password in Active Directory to work with Google SSO, do I need to remove Kerberos from:
“connector/ad/mapping/container/ignorelist”?

Google Workspace shows my password as being changed in the past hour. So it seems to be reading the wrong info or not correctly reading the password.

I can log into UCS with my user/password, but when I try to use Google SSO, I get the following error:
Google Workspace - This service cannot be accessed because your login request contained invalid recipient information. Please log in and try again.

I think because I have multiple domains in my Workspace, the primary is being used and not the domain that my user account is under. I may need undo my steps and start over.

A couple of things that may be an issue:

My primary google domain is different from the domain I’m trying to use with Google Sync and UCS
UCS is behind NAT and not using a public domain. Do I need to forward ports to my UCS for the google sync to work?

I see in /var/log/univention/listener.log after enabling google sync for my user account:
googleapiclient.errors.HttpError: <HttpError 400 when requesting https://admin.googleapis.com/admin/directory/v1/users/116445428751042532711?prettyPrint=false returned “Admin cannot delete self.”>

If I set up a user that does not exist in Google via UCS, the user gets created in Google Workspace, but the user can not authenticate. I get the error:
This service cannot be accessed because your login request contained invalid recipient information. Please log in and try again.

EDIT: It works! I had to go through the UCS wizard for the Google Connector. I changed the “authorized domain” to the primary domain of my Google tenant, rather than the domain I’m using for email addresses.

Thanks for the help!