I should put UCS instead of an old SBS2011 server.
To get started, i tried to install UCS and clicked join Active Directory Domain during the install process.
Unfortunately several scripts failed and i couldnt really find out why.
So I started over with the install, selected “no domain” at the install and tried to run univention-join from SSH afterwards, to see errors right away. I have replaced my real domain with DOMAIN.REMOVED in all commands and error messages.
After reading a few guides online, I believe that the first UCS in joining an AD must be a master, so my command was:
univention-join -type domaincontroller_master
The error i got was: missing dns service record for _domaincontroller_master._tcp.DOMAIN.REMOVED
Second try after searching online:
univention-join -type domaincontroller_master -dcname sbs2011.DOMAIN.REMOVED
New error: ssh-login to riessadmin@sbs2011.DOMAIN.REMOVED failed with " "
Which is of course correct, as this is a windows server with no ssh running on it.
To me it sounds like the command tries to join a UCS domain, not AD.
After several tries, i managed to join my first UCS master to an SBS2011. I started from scratch and tried to join the AD during setup. All scripts worked except 26.
there was a problem of a missing DNS of domaincontroller_master. I added that in the SBS2011 DNS.
I re-ran the scripts from the GUI and only 26 didnt work. It told me to use “univention-run-join-scripts --ask-pass”
I tried that and got “Search LDAP binddn: ldap_sasl_bind(SIMPLE): Can’t contact LDAP server (-1)
Insufficient access (50)”
I searched in the forum here and found an info about univention-ssh inside the join script. I debugged /usr/sbin/univention-run-join-scripts and saw, that binddn was not found. I also saw, that “Can’t contact LDAP server (-1)” resulted from the first try, and “Insufficient access (50)” from the second one.
However: univention-ldapsearch uid=ADMIN returned the DN correctly.
So I decided not to debug the univention-ssh problems any more, added binddn=“WHAT_I_GOT_FROM_BEFORE” and with that managed to let the script continue.
And it WORKED!
I don’t feel like signing up for the sourcecode just because of that, but I suggest someone adds another if-statement in /usr/sbin/univention-run-join-scripts to try what i did.
UPDATE:
Trying to add a slave server to the environment, I got stuck during the install process at the same problem and I couldnt continue. So I switched to console and edited /target/usr/sbin/univention-join and manually added binddn=… again.
Would be great if anyone could to help me find a proper solution, i dont feel like manually editing the scripts at every new server I add.
I think I have found the reason behind some of the binddn errors.
I had to add the (Active-Directory-)Domain-Admin-User to the UCS Group “DC Backup Hosts”.
Found this suggestion at another post here regarding some ldap.secret error.