UCS Backup DC Join failed

UCS - Univention Corporate Server
1

Hello together,

We have a UCS system with an Active Directory domain controller module installed.
Now I wanted to add a second domain controller.
After installing the second UCS system as a backup directory node, I installed the Active Directory domain controller module as described in the documentation.

Now when I try to run the join scripts 96 & 98, they fail. I have been searching for hours and cannot find any error. Clients can be connected without problems, only the backup UCS fails.

Here is the log:

RUNNING 96univention-samba4.inst
2025-07-15 13:17:25.664200718+02:00 (in joinscript_init)
15.07.25 13:17:26.850 DEBUG_INIT
15.07.25 13:17:26.867 DEBUG_EXIT
Not updating samba4/role
Multifile: /etc/samba/smb.conf
Object exists: cn=Builtin,dc=XXX,dc=local
No modification: cn=Enterprise Domain Controllers,cn=groups,dc=XXX,dc=local
WARNING: cannot append cn=DC Backup Hosts,cn=groups,dc=XXX,dc=local to nestedGroup, value exists
No modification: cn=Enterprise Domain Controllers,cn=groups,dc=XXX,dc=local
WARNING: cannot append cn=dc-02,cn=dc,cn=computers,dc=XXX,dc=local to hosts, value exists
Stopping samba-ad-dc (via systemctl): samba-ad-dc.service.
Stopping nmbd (via systemctl): nmbd.service.
Setting kerberos/kdc
Setting kerberos/kpasswdserver
File: /etc/krb5.conf
Setting slapd/port
Multifile: /etc/ldap/slapd.conf
File: /etc/init.d/slapd
Setting slapd/port/ldaps
File: /etc/init.d/slapd
Multifile: /etc/ldap/slapd.conf
Restarting slapd (via systemctl): slapd.serviceWarning: The unit file, source configuration file or drop-ins of slapd.service changed on disk. Run 'systemctl daemon-reload' to reload units.
.
Create windows/wins-support
Multifile: /etc/samba/smb.conf
Join against S4 Connector server: dc-01
Forest : XXX.local
Domain : XXX.local
Netbios domain : XXX
DC name : dc-01.XXX.local
DC netbios name : DC-01
Server site : Default-First-Site-Name
Client site : Default-First-Site-Name
Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52f, v1db1> <>
Failed to connect to 'ldap://dc-01' with backend 'ldap': LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52f, v1db1> <>
Invalid username or password
WARNING: The option -k|--kerberos is deprecated!
Failed to join against the S4 Connector server dc-01.
Make sure the server is online or if this server is no longer in use,
please completely remove the server object from the domain.
Forest : XXX.local
Domain : XXX.local
Netbios domain : XXX
DC name : dc-01.XXX.local
DC netbios name : DC-01
Server site : Default-First-Site-Name
Client site : Default-First-Site-Name
INFO 2025-07-15 13:17:48,863 pid:7677 /usr/lib/python3/dist-packages/samba/join.py #104: Finding a writeable DC for domain 'XXX.local'
INFO 2025-07-15 13:17:48,879 pid:7677 /usr/lib/python3/dist-packages/samba/join.py #106: Found DC dc-01.XXX.local
Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52f, v1db1> <>
Failed to connect to 'ldap://dc-01.XXX.local' with backend 'ldap': LDAP error 49 LDAP_INVALID_CREDENTIALS - <8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52f, v1db1> <>
Invalid username or password
WARNING: The option -k|--kerberos is deprecated!
Failed to join the domain XXX.local.
Make sure the server is online or if this server is no longer in use,
please completely remove the server object from the domain.
EXITCODE=1
2eedea72-215d-405b-9257-d20e946f821d
RUNNING 97univention-s4-connector.inst
EXITCODE=already_executed
RUNNING 98univention-pkgdb-tools.inst
EXITCODE=already_executed
RUNNING 98univention-samba4-dns.inst
2025-07-15 13:17:49.150342419+02:00 (in joinscript_init)
Samba4 backend database not available yet, exiting joinscript 98univention-samba4-dns.
EXITCODE=1
71175897-acff-4f64-a19a-3fa892b75a72
univention-join-hooks: looking for hook type "join/post-joinscripts" on dc-01.XXX.local
Found hooks:


Di 15. Jul 13:17:50 CEST 2025
univention-run-join-scripts finished

I checked the credentials and they are correct. Hope you got a hint for me.

2

The last days, I tryed it with a new VM. But it also didn’t worked.

At the moment I try to use older versions like 5.21 or 5.20 just too exclude a softwarebug

3

looks like your domain is not resolvable.
i see a “local” in there.
your controller needs a full domain name that can be resolved from other machines via DNS… since every machine is called “local” its going to be a problem.
when it does a look up its gonig to be pointing to itself…

4

Hi talleyrand,

The domain is named XXX.local, so the FQDN for the domain controller is “dc-01.XXX.local”

When I log in via ssh to the second ucs system I can resolve the following:

ping XXX.local
PING XXX.local (192.168.0.20) 56(84) bytes of data.
64 bytes from dc-01.XXX.local (192.168.0.20): icmp_seq=1 ttl=64 time=0.579ms

ping dc-01.XXX.local
PING dc-01.XXX.local (192.168.0.20) 56(84) bytes of data.
64 bytes from dc-01.XXX.local (192.168.0.20): icmp_seq=1 ttl=64 time=0.384 ms

ping dc-01
PING dc-01.XXX.local (192.168.0.20) 56(84) bytes of data.
64 bytes from dc-01.XXX.local (192.168.0.20): icmp_seq=1 ttl=64 time=0.527 ms

So from point of view, the DNS resolution is okay.

5

Phew… thank goodness that AD/Samba and networking only relies on DNS…
and Ping… is using exactly the same network protocols that they use.

6

yes, you are right, but it should not matter if the domain ends with .local or .com. This has nothing to do with dns.

To clarify: the domain is called XXX.local (XXX = placeholder)

There are also corresponding pointer entries in the DNS that refer to the respective DC. The service records should also be correct.

I can connect any Windows machine to this domain without any problems.

I have also tested the older versions (5.21/5.20), but the same problem occurs here.

Here are the DNS records:

image
image744×1423 110 KB

7
8

Yep… i was going to show this taken from the SAMBA setup docs:

image
image975×106 18.4 KB

i’m not saying this is the cause of this issue, but the once a setup deviates from the norm, the harder it is to debug.

also if you expand the system and add other subnets, i’m not sure that local will function outside of the subnet that the server is in.

but i do remember the first time i setup univention i had a hell of a time with exactly this sort of name resolution, even using a full .com, and in one case it was related to the windows AD server doing some things over ipV6 to “.local” & “.localhost”

9

Hi, and thanks for the information.

Sorry for the late reply, I was on vacation.

I try to setup a new ucs system with a *.intranet domain and try to migrate the current systems.

10

Update:

its works without problems with a fresh new ucs vm and a *.intranet domain.

I try now to migrate the user and computer accounts.