UCS multisite network architecture


UCS can offer Active Directory (AD) services for Windows computers. Is the network architecture drawn below correct? DNS settings are ok?


At System Diagnostics on a Slave machine:
The following KDCs were unreachable: tcp dc-site_x.office.intranet: 88, tcp dc-site_y.office.intranet: 88 etc.

samba-tool drs showrepl` returned a problem with the replication.
Inbound ‘CN=Configuration,DC=office,DC=intranet’: error during DRS replication from Default-First-Site-Name/DC-SITE_X (WERR_SEM_TIMEOUT)
Inbound ‘CN=Configuration,DC=office,DC=intranet’: error during DRS replication from Default-First-Site-Name/DC-SITE_Y (WERR_SEM_TIMEOUT)
Is VPN required between UCS Slave?

Thank you!



basic setup is fine, yes. But check DNS settings of your UCS server based on this article.

Additionally, your clients should not get a DNS server other than an UCS server! Otherwise you will lack functionality as the external DNS server can not tell anything about your internal domain. So remove the 1.1.1. from your clients. Instead you might use the as a forwarder (again, see above mentioned article).

Regarding the errors:
The wording “master”, “backup”, “slave” (and “member”) is terminology of Univention domain. The ActiveDirectory Domain (AD) does not have these concept and therefore the UCS-slave always acts as a AD-DC (domain controller) and thus should be able to reach the other AD-DCs. So yes, you should establish at least a proper routing between your sites. Either directly or through one of the other VPN gateways.



I will make the changes you have recommended.
Best regards,