Hey,
the situation is somewhat tricky. A UCS domain is made up of OpenLDAP servers with unidirectional synchronisation between them with the DC Master as the sync source and all other UCS DC Backups and UCS DC Slaves as sync destinations. The SSL certificates for all machines are created on the master and copied to the DC Backups & DC Slaves. All changes to information in the LDAP, e.g. accounts, groups etc., is done on the DC Master and synced from there to the other UCS DCs.
In that sense UCS DC Slaves are read-only copies.
However, this is solely the part that isn’t the Active Directory part. That part is provided by Samba with its own LDAP server. You usually install the “AD compatible domain controller” app (which contains Samba) on all relevant DCs. And now things get complicated.
Each Samba AD DC (don’t confuse “AD DC” with “UCS DC” — both are different concepts, e.g. for “UCS DCs” there are three types: Master, Backup, Slave; however, for “AD DCs” thereis basically only one role if you disregard the AD Read-Only-DC) implements a bi-directional sync to all other Samba AD DCs. Therefore changes to the AD portion of the data (e.g. if a user changes her password on her domain-joined Windows workstation) are done on the “nearest” AD DC. The AD DC then synchronizes those changes with the other AD DCs in the domain.
In that sense a UCS DC Slave with the AD DC app installed is not read-only anymore.
But how is the data synced between those two worlds? Well, there’s the “Univention S4 Connector” component which is installed on the DC Master and all DC Backups (but it’s always only running on the DC Master). This component does a bi-directional sync between the OpenLDAP server on the UCS DC Master and the Samba DC DC on the UCS DC Master.
So what happens when you have a branch office with its own UCS DC Slave with the Samba AD DC installed and a user in that branch office changes her password on Windows?
- The password change is done against the Samba AD DC on the branch office’s UCS DC Slave.
- The Samba AD DC on the branch office’s UCS DC Slave syncs the new password to the Samba AD DC on the UCS DC Master.
- The S4 Connector on the UCS DC Master syncs the new password from the Samba AD DC on the UCS DC Master to the OpenLDAP on the UCS DC Master.
- The OpenLDAP on the UCS DC Master syncs the new password to the OpenLDAP directories on all other UCS DCs.
If you change the password not via Windows, but via the web-based “Univention Management Console” (UMC), the flow looks different:
- The UMC writes the changes to the OpenLDAP on the UCS DC Master.
- The OpenLDAP on the UCS DC Master syncs the change to all other OpenLDAPs on the other UCS DCs.
- At the same time the S4 Connector running on the UCS DC Master gets notified of said change and syncs it to the Samba AD DC running on the UCS DC Master.
- The Samba AD DC on the UCS DC Master syncs the change to all other Samba AD DCs.
Kind regards,
mosu