Workaround for Active Directory Web Service (ADWS)

Hello everybody,

we are using UCS successful for over half year now and we are very impressed about the featureset and resilience.

We have 3 DCs (Master/Backup and Readonly in DMZ ) and serveral memberserver in production. So far so good.

We decided recently that serving applications to the clients as virtual machines. For usability and other reasons decision was made in favor of a RDS VDI infrastructure on microsoft hyper-v basis. To our current problem:

The Server 2016 joins the domain no problem. But issues come up if we try to install the RDS. I assume the installation wizard relies heavily on powershell cmdlets in the background and fails. To specific the powershell active directory module portion to set/get AD rights fails since the MS middleware “Active Directory Web Service” is missing in the Univention Samba4 implementation.
To be more specific if we want to create a RDS Collection under the OU that was specified in the wizards it fails even though all appropirate rights are set.

CommonName of the server:“cn=vs04,OU=server,OU=computer,DC=ourdomain,DC=intranet”
the machine account vs04 has full rights over this OU: “OU=vdi,OU=clients,OU=computer,DC=ourdomain,DC=intranet”

I assume that the windows installation wizard don’t really tries if it has rights over the OU but ask the AD through ADWS middleware (ADWS not available in Samba). Can we circumvent this? Is there a workaround? Running ADWS on a MS memberserver? As far as i can tell ADWS MUST run on the PDC right?

What could be other options?

  • Can I join a MS Active Directory in RODC mode to a UCS domain?
  • Create a additonal MS AD domain and create trust between the MS and UCS domain? This would be my last resort because I don’t want a seperate Domain just for the VDI functionality.

Thanks in advance!

Mastodon