Univention-join to Active Directory

riess82 · February 10, 2021, 3:24pm

I should put UCS instead of an old SBS2011 server.

To get started, i tried to install UCS and clicked join Active Directory Domain during the install process.
Unfortunately several scripts failed and i couldnt really find out why.
So I started over with the install, selected “no domain” at the install and tried to run univention-join from SSH afterwards, to see errors right away. I have replaced my real domain with DOMAIN.REMOVED in all commands and error messages.

After reading a few guides online, I believe that the first UCS in joining an AD must be a master, so my command was:
univention-join -type domaincontroller_master

The error i got was: missing dns service record for _domaincontroller_master._tcp.DOMAIN.REMOVED

Second try after searching online:
univention-join -type domaincontroller_master -dcname sbs2011.DOMAIN.REMOVED

New error: ssh-login to riessadmin@sbs2011.DOMAIN.REMOVED failed with " "

Which is of course correct, as this is a windows server with no ssh running on it.
To me it sounds like the command tries to join a UCS domain, not AD.

Any help would be greatly appreciated.

Best regards in advance,
M

riess82 · February 12, 2021, 10:16am

After several tries, i managed to join my first UCS master to an SBS2011. I started from scratch and tried to join the AD during setup. All scripts worked except 26.

there was a problem of a missing DNS of domaincontroller_master. I added that in the SBS2011 DNS.
I re-ran the scripts from the GUI and only 26 didnt work. It told me to use “univention-run-join-scripts --ask-pass”

I tried that and got “Search LDAP binddn: ldap_sasl_bind(SIMPLE): Can’t contact LDAP server (-1)
Insufficient access (50)”

I searched in the forum here and found an info about univention-ssh inside the join script. I debugged /usr/sbin/univention-run-join-scripts and saw, that binddn was not found. I also saw, that “Can’t contact LDAP server (-1)” resulted from the first try, and “Insufficient access (50)” from the second one.

However: univention-ldapsearch uid=ADMIN returned the DN correctly.
So I decided not to debug the univention-ssh problems any more, added binddn=“WHAT_I_GOT_FROM_BEFORE” and with that managed to let the script continue.

And it WORKED!

I don’t feel like signing up for the sourcecode just because of that, but I suggest someone adds another if-statement in /usr/sbin/univention-run-join-scripts to try what i did.

riess82 · February 13, 2021, 11:14am

UPDATE:
Trying to add a slave server to the environment, I got stuck during the install process at the same problem and I couldnt continue. So I switched to console and edited /target/usr/sbin/univention-join and manually added binddn=… again.

Would be great if anyone could to help me find a proper solution, i dont feel like manually editing the scripts at every new server I add.

riess82 · February 19, 2021, 7:41pm

UPDATE 2:

I think I have found the reason behind some of the binddn errors.
I had to add the (Active-Directory-)Domain-Admin-User to the UCS Group “DC Backup Hosts”.
Found this suggestion at another post here regarding some ldap.secret error.