UCS AD Conncetor and Windows 2012 Domain


#1

I am trying to join my UCS Master to a Windows 2012 Domain. I have installed the UCS AD connector. No errors/Issues with install.

However upon attempting to Join the domain (bebconsultingservices.com / BEBCONSULTING) it fails (screenshot of error) this happens regardless of what option I select for AD connector.

The log files below are empty…so that provides me with NO clues on a problem or fix.

/var/log/univention/connector-status.log
/var/log/univention/connector.log
/var/log/univention/ad-connector-certificate.log

I am not trying to take OVER the Windows 2012 Domain. I am trying to either have the UCS Master run within the Windows 2012 domain or along side it for applications and services.

Only error in /var/log/univention/management-console-module-adconnector.log is below, however the domain controller, username and password are correct when used.

21.11.16 10:38:28.022 MODULE ( PROCESS ) : stderr:
21.11.16 10:38:28.119 MODULE ( PROCESS ) : AD Info: {‘Domain’: ‘bebconsultingservices.com’, ‘LDAP Base’: ‘DC=bebconsultingservices,DC=com’, ‘Forest’: ‘bebconsultingservices.com’, ‘Client Site’: ‘Default-First-Site-Name’, ‘DC Netbios Name’: ‘BEBW12MTASVRP1’, ‘DC DNS Name’: ‘BEBW12MTASVRP1.bebconsultingservices.com’, ‘Netbios Domain’: ‘BEBCONSULTING’, ‘DC IP’: ‘104.153.46.198’, ‘Server Site’: ‘Default-First-Site-Name’}
21.11.16 10:38:28.226 MODULE ( WARN ) : Failure:
21.11.16 10:38:28.226 MODULE ( PROCESS ) : The command has failed: Could not connect to AD Server BEBW12MTASVRP1.bebconsultingservices.com. Please verify that username and password are correct.
21.11.16 10:39:44.070 MODULE ( PROCESS ) : Lookup ADDS DC
21.11.16 10:39:44.077 MODULE ( PROCESS ) : running [‘dig’, '@104.153.46.198’, ‘bebw12mtasvrp1.bebconsultingservices.com’, ‘+short’]
21.11.16 10:39:44.143 MODULE ( PROCESS ) : stdout: 104.153.46.198

21.11.16 10:39:44.143 MODULE ( PROCESS ) : stderr:
21.11.16 10:39:44.190 MODULE ( PROCESS ) : running [‘dig’, '@104.153.46.198’]
21.11.16 10:39:44.244 MODULE ( PROCESS ) : stdout:
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @104.153.46.198
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32191
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 12

;; QUESTION SECTION:
;. IN NS

;; ANSWER SECTION:
. 1238 IN NS m.root-servers.net.
. 1238 IN NS c.root-servers.net.
. 1238 IN NS d.root-servers.net.
. 1238 IN NS j.root-servers.net.
. 1238 IN NS g.root-servers.net.
. 1238 IN NS l.root-servers.net.
. 1238 IN NS i.root-servers.net.
. 1238 IN NS e.root-servers.net.
. 1238 IN NS h.root-servers.net.
. 1238 IN NS f.root-servers.net.
. 1238 IN NS b.root-servers.net.
. 1238 IN NS a.root-servers.net.
. 1238 IN NS k.root-servers.net.

;; ADDITIONAL SECTION:
m.root-servers.net. 22732 IN A 202.12.27.33
m.root-servers.net. 22732 IN AAAA 2001:dc3::35
c.root-servers.net. 22732 IN A 192.33.4.12
c.root-servers.net. 22732 IN AAAA 2001:500:2::c
d.root-servers.net. 22732 IN A 199.7.91.13
d.root-servers.net. 22732 IN AAAA 2001:500:2d::d
j.root-servers.net. 22732 IN A 192.58.128.30
j.root-servers.net. 22732 IN AAAA 2001:503:c27::2:30
g.root-servers.net. 22732 IN A 192.112.36.4
g.root-servers.net. 22732 IN AAAA 2001:500:12::d0d
l.root-servers.net. 22732 IN A 199.7.83.42
l.root-servers.net. 22732 IN AAAA 2001:500:9f::42

;; Query time: 46 msec
;; SERVER: 104.153.46.198#53(104.153.46.198)
;; WHEN: Mon Nov 21 10:39:44 2016
;; MSG SIZE rcvd: 505

21.11.16 10:39:44.244 MODULE ( PROCESS ) : stderr:
21.11.16 10:39:44.336 MODULE ( PROCESS ) : AD Info: {‘Domain’: ‘bebconsultingservices.com’, ‘LDAP Base’: ‘DC=bebconsultingservices,DC=com’, ‘Forest’: ‘bebconsultingservices.com’, ‘Client Site’: ‘Default-First-Site-Name’, ‘DC Netbios Name’: ‘BEBW12MTASVRP1’, ‘DC DNS Name’: ‘BEBW12MTASVRP1.bebconsultingservices.com’, ‘Netbios Domain’: ‘BEBCONSULTING’, ‘DC IP’: ‘104.153.46.198’, ‘Server Site’: ‘Default-First-Site-Name’}
21.11.16 10:39:44.446 MODULE ( WARN ) : Failure:
21.11.16 10:39:44.446 MODULE ( PROCESS ) : The command has failed: Could not connect to AD Server BEBW12MTASVRP1.bebconsultingservices.com. Please verify that username and password are correct.
21.11.16 10:49:44.309 MAIN ( WARN ) : Shutting down all open connections



New Host not found in DNS
#2

Hi,

I am sorry to point out the obvious, but the following message seems clear:

21.11.16 10:39:44.446 MODULE ( PROCESS ) : The command has failed: Could not connect to AD Server BEBW12MTASVRP1.bebconsultingservices.com. Please verify that username and password are correct.

either the username/password combination is wrong, or the username is not allowed to do that (though I then would expect something along the lines of “insufficient access”). Since you are able to install the ad-connector later, did you already install the ucs and test the connection and then install the ad-connector? Are you able to reset the password to the username to a simpler one and try again?

Kind Regards


#3

did you already install the ucs and test the connection and then install the ad-connector?

The Windows 2012 AD is pingable from the UCS Server. NSLookup works fine as well as traceroute in both directions.

Are you able to reset the password to the username to a simpler one and try again?

We have reset the password, but can’t use a simpler one as there are password complexity requirements. (no special characters, but does have mixed case and numbers)


#4

Correction…

Apparently NSLOOKUP works going from the Windows Domain Server to the UCS Master, but fails when going from the UCS Master to the Windows 2012 Domain Server.

However it should resolve as we have the Primary and Secondary Windows Domain Servers as Primary and Secondary UCS External DNS. Not sure why it is NOT resolving UCS–> W12 but W12->UCS works.

I am also seeing that only the UCS Master is in the resolve.conf file…

root@bebucsmtasvrp5:/etc# cat resolv.conf

Warning: This file is auto-generated and might be overwritten by

univention-config-registry.

Please edit the following file(s) instead:

Warnung: Diese Datei wurde automatisch generiert und kann durch

univention-config-registry überschrieben werden.

Bitte bearbeiten Sie an Stelle dessen die folgende(n) Datei(en):

/etc/univention/templates/files/etc/resolv.conf

domain bebconsultingservices.com
nameserver 64.111.20.203
options timeout:2

Not sure why the external DNS are not showing in resolve.conf and why it is not using them to resolve DNS FQDNs.

I am also seeing that the UCS NetBIOS Domain Name is WRONG:
windowsdomain shows as BEBCONSULTINGSE and the Windows Domain is BEBCONSULTING

Is this a possibly bug with 4.1.4?




#5

is that a new UCS setup? I am asking, because you have “domain bebconsultingservices.com” in the resolv.conf which results to “BEBCONSULTINGSE(rvices.com)” in windows/domain.
Did you use the instructions in the documentation regarding the AD-Membermode? http://docs.software-univention.de/manual-4.1.html#ad-connector:ad-member-einrichtung:

I would also have a look at the nameserver-variables and set only the AD master as nameserver1 (dropping the rest):

[code]# ucr set nameserver1=

ucr unset nameserver2 nameserver3 [/code]


#6

Yes this is a NEW UCS Install in an EXISTING Windows 2012/2008 Domain called FQDN “bebconsultingservices.com” or in NetBIOS “BEBCONSULTING”

I followed the instructions for AD Connector docs.software-univention.de/manu … inrichtung: and it fails with the error in this thread. No matter which option I use.

The FQDN for the UCS is bebucsmtasvrp5.bebconsultingservices.com. the FQDN for the Windows domain server is bebw12mtasvrp1.bebconsultingservices.com and the backup Windows domain is bebw12mtasvrp2.bebconsultingservices.com.

I’m trying to get the UCS installed as a member of the Windows 2012/2008 domain so that users of the UCS can access the resources/application on the Windows Domain and users of the Windows Domain can access resources/applications on the UCS Domain. Ideally both having the FQDN Windows domain of “bebconsultingservices.com” and using NETBIOS as BEBCONSULTING.


#7

I just installed a Windows Server 2012 with a name like yours and the domain “bebconsultingservice.com” - as netbiosname (Pre-Windows 2000) I configured “bebconsulting”.
I then installed a new 4.1-4. At the IP Konfiguration I chose an IP and set the DNS Server to the AD Server.
I then chose to “install in existing AD Domain” - the setup then did a lookup for the AD server and presented me with: “bebw12mtasvrp1.bebconsultingservices.com” as server to join to.
I set AD Administrator and Password and at the name configuration I just set “bebucsmtasvrp5” as local name.
The setup then asked which apps to install and I chose “Active Directory Connection”.

Afterwards, the installation started and finished without errors.

I get this at the UCS Server:

root@bebucsmtasvrp5:~# ucr search windows/domain windows/domain: BEBCONSULTING The NetBIOS domain name (used in Samba 3, Samba 4 predominantly uses the DNS/Kerberos domainname).

This seems to work fine - can you check if you did something different or tell if you encountered errors along the way?


#8

The only thing I have done different was set the UCS DNS #1 to itself (64.111.20.203) and the Windows AD (104.153.46.198) as the External DNS #1.

I also set the UCS local name to the FQDN (bebucsmtasvrp5.bebconsultingservices.com) as when I use just “bebucsmtasvrp5” the UCS server can’t resolve itself. nslookup fails with just “bebucsmtasvrp5: but works fine with"bebucsmtasvrp5.bebconsultingservices.com” when resolving the hostname .

When I select to install app and select “Active Directory Connection” it starts but then fails stating that it can not join because of the error “Could not connect to AD Server BEBW12MTASVRP1.bebconsultingservices.com. Please verify that username and password are correct”

Then it give me the option of “Back” or “Reboot”


#9

I just tried again with a new host name, following the process you listed. It still fails with Connection Refused.

The Domain is set as a Windows 2003 Domain Level for the Domain and Forest.

The password and user are correct being used.





#10

Hi,

is it possible to try the process exactly as I mentioned and tell the results?

  • Install a new 4.1-4
  • At the IP Konfiguration choose an IP and set the DNS Server to the AD Server (and no other! The own IP as nameserver will be automatically set after the join-process)
  • “Install in existing AD Domain” -> the setup should now do a lookup for the AD server and present you with: “bebw12mtasvrp1.bebconsultingservices.com” as server to join to
  • Give the AD Administrator and Password
  • At the name configuration set “bebucsmtasvrp5” as local name
  • Install “Active Directory Connection” and proceed with the process

Afterwards, check the following:

root@bebucsmtasvrp5:~# ucr search windows/domain windows/domain: BEBCONSULTING The NetBIOS domain name (used in Samba 3, Samba 4 predominantly uses the DNS/Kerberos domainname).

Tell me where your experience in the process differs from my lab-test.

Kind Regards,
Jens Thorp-Hansen


AD -> UCS Sync = Failed to lookup S4 LDAP base
#11

Will try this morning…stay tuned…


#12

Just attempted it again…It fails with " Connection Refused" followed these steps exactly.

Install a new 4.1-4

  • At the IP Konfiguration choose an IP and set the DNS Server to the AD Server (and no other! The own IP as nameserver will be automatically set after the join-process) DNS was set to 104.153.46.198 and IP was set to 64.111.20.203/29
  • “Install in existing AD Domain” -> the setup should now do a lookup for the AD server and present you with: “bebw12mtasvrp1.bebconsultingservices.com” as server to join to I did get this exactly.
  • Give the AD Administrator and Password It fails right after this point, when it tried to connect to the AD Server I am using the correct password and Administrator
  • At the name configuration set “bebucsmtasvrp5” as local name <—I never get to this step. It attempts to connect to bebw12mtasvrp1.bebconsultingservices.com (104.153.46.198) and fails with “Connection Refused”
  • Install “Active Directory Connection” and proceed with the process

I have a AVI video of the process, not able upload here however.But screen shot is attached of the Error.

I have tried to reset the password to something more simple. Still fails with connection refused.



#13

I also checked and 104.153.46.198 does resolve to “bebw12mtasvrp1.bebconsultingservices.com”. I am wondering if it might be a Windows AD firewall issue. Not sure what ports UCS needs open to join a AD Domain.


#14

In order to maintain our production schedule we are moving forward with the UCS Master rebuild as we can’t delay any longer with reinstalling over and over. We will need to attempt to install AD Connector with a system that is build as a Dedicated UCS Master in parallel to a Window Domain. As rebuilding this over and over wipes out our applications and data that we have to restore.

Also checked the firewall on the AD Domain Controller open ports are:
LDAP TCP-in - 389
LDAP UDP in - 389
LDAP for Global Catalog TCP in - 3268
NetBIOS name Resolution UDP in - 138
SAM/LSA TCP in - 445
SAM/LSA UDP in - 445
Secure LDAP TCP in - 636
Secure LDAP for Global Catalog TCP in - 3269
W32Time NTP UDP in - 123
RPC - RPC Dynamic
RPC Endpoint Mapper
DNS - TCP and UDP 53
Kerberos V5 UDP in - 88
Netbios Datagram UDP in - 137


#15

Just attempted again, this time setting up a new UCS Domain.

Then install AD Connector (installed and no errors) and selected “Configure UCS as part of an Active Directory domain (recommended).” as the option.

when attempting to join the windows domain I get the error:

Could not fulfill the request.

Server error message:

The command has failed: Could not connect to AD Server BEBW12MTASVRP1.bebconsultingservices.com. Please verify that username and password are correct.

Same as before…going to try to select “Synchronisation of account data between an Active Directory and this UCS domain.” Option and see what the result is…


#16

Well that option also fails with

Could not fulfill the request.

Server error message:

The command has failed: Could not connect to AD Server BEBW12MTASVRP1.bebconsultingservices.com. Please verify that username and password are correct.

On the newly rebuilt UCS Master, it appears that even though I have the AD Server as the DNS it still is not able to resolve…

root@bebucsmtasvrp5:/var/log/univention# nslookup bebw12mtasvrp1.bebconsultingservices.com
Server: 64.111.20.203
Address: 64.111.20.203#53

** server can’t find bebw12mtasvrp1.bebconsultingservices.com: NXDOMAIN

even though the first DNS is itself (put there during the install automatically) and it has the second DNS as 104.153.46.198 which is the IP Address for bebw12mtasvrp1.bebconsultingservices.com. It does not resolve…


#17

I’ve managed to get DNS name resolution to work. However the connection is still refused.

I am also seeing that the NETBIOS and FQDN are now correct in AD Connector:
28.11.16 13:35:02.905 MODULE ( PROCESS ) : AD Info: {‘Domain’: ‘bebconsultingservices.com, ‘LDAP Base’: DC=bebconsultingservices,DC=com’, ‘Forest’: ‘bebconsultingservices.com, ‘Client Site’: ‘Default-First-Site-Name’, ‘DC Netbios Name’: ‘BEBW12MTASVRP1’, ‘DC DNS Name’: ‘BEBW12MTASVRP1.bebconsultingservices.com’, ‘Netbios Domain’: 'BEBCONSULTING’, ‘DC IP’: ‘104.153.46.198’, ‘Server Site’: ‘Default-First-Site-Name’}
28.11.16 13:35:03.013 MODULE ( WARN ) : Failure:
28.11.16 13:35:03.013 MODULE ( PROCESS ) : The command has failed: Could not connect to AD Server BEBW12MTASVRP1.bebconsultingservices.com. Please verify that username and password are correct.

But the connection is still being refused…now I am at a loss…


#18

Do I need to also have Active Directory-compatible Domain Controller installed as well? As currently it is NOT installed only Active Directory Connection is installed.


#19

No, you do not need the Active Directory Domain Controller. The step-by-step instructions I sent are verified in a lab-environment so there must be something in your environment, that is causing the fails. Maybe the network environment? Configuration of the Windows Server, that activly hinders the connection?

Further:

Maybe a routing issue?

I am really sorry, but can it not be that you use an Administrator that is either not allowed to do the join/connect? Or that the password has a typo or the likes? I mean: If the system at the point “Give User/Password” tells you the typed in user/passwort is wrong.


#20

Ok it does look like a possible routing issue…

Going from the UCS to the Windows AD Server:
From MTA 5 to MTA 1

root@bebucsmtasvrp5:~# traceroute bebw12mtasvrp1.bebconsultingservices.com
traceroute to bebw12mtasvrp1.bebconsultingservices.com (104.153.46.198), 30 hops max, 60 byte packets
1 64.111.20.201 (64.111.20.201) 0.643 ms 0.635 ms 0.845 ms
2 vs201.cor1.cos1.vis.data102.com (64.111.16.192) 0.592 ms 0.606 ms 0.608 m s
3 g0-1.edge3.cos1.vis.data102.com (64.111.16.219) 1.279 ms 1.280 ms 1.280 m s
4 gi0-0-0-0.rcr11.cos01.atlas.cogentco.com (38.101.50.117) 1.273 ms 1.526 ms 1.527 ms
5 te0-7-0-8.ccr22.den01.atlas.cogentco.com (154.54.40.18) 3.221 ms 3.233 ms 3.229 ms
6 be3036.ccr22.mci01.atlas.cogentco.com (154.54.31.90) 14.634 ms 14.676 ms 14.681 ms
7 be2832.ccr42.ord01.atlas.cogentco.com (154.54.44.170) 26.438 ms 26.450 ms 26.447 ms
8 be2718.ccr22.cle04.atlas.cogentco.com (154.54.7.130) 33.332 ms 33.226 ms 33.505 ms
9 be2890.ccr42.jfk02.atlas.cogentco.com (154.54.82.246) 45.027 ms 45.441 ms 45.441 ms
10 be2855.ccr22.jfk04.atlas.cogentco.com (154.54.7.6) 45.415 ms 45.428 ms 45.926 ms
11 38.88.134.18 (38.88.134.18) 46.228 ms 46.777 ms 46.788 ms
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
root@bebucsmtasvrp5:~#

Going from the Windows AD Server to UCS…

From MTA 1 to MTA 5

Tracing route to bebucsmtasvrp5.bebconsultingservices.com [64.111.20.203]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 199.231.92.1
2 1 ms 1 ms 1 ms 38.88.134.17
3 1 ms 1 ms 2 ms be2855.ccr42.jfk02.atlas.cogentco.com [154.54.7.5]
4 13 ms 13 ms 13 ms be2890.ccr22.cle04.atlas.cogentco.com [154.54.82.245]
5 21 ms 21 ms 21 ms be2718.ccr42.ord01.atlas.cogentco.com [154.54.7.129]
6 33 ms 33 ms 33 ms be2832.ccr22.mci01.atlas.cogentco.com [154.54.44.169]
7 44 ms 44 ms 44 ms be3036.ccr22.den01.atlas.cogentco.com [154.54.31.89]
8 46 ms 46 ms 46 ms te0-0-2-2.rcr11.cos01.atlas.cogentco.com [154.54.40.17]
9 46 ms 46 ms 58 ms Optimum_Network_Services.demarc.cogentco.com [38.101.50.118]
10 46 ms 46 ms 46 ms g7-10.core1.cos1.vis.data102.com [64.111.16.218]
11 46 ms 46 ms 46 ms vs201.dist3.cos1.vis.data102.com [64.111.16.193]
12 46 ms 48 ms 46 ms 64.111.20.203

Trace complete.

So I think I will open a case with the ISP/Co-Location for UCS.

Thanks…I will update again if we have more issues…or something else.