Hy there,
Can univention server added to a windows server virtual machine Domain controller that exist in azure and have a vpn to work as local server?
The main goal is to have a fault tolerance authentication server when the internet connection fails for example.
Thanks
Hi,
if I got your right you want to join a UCS server to an Active Directory, located on a Windows DC in Microsofts Azure Cloud - right?
It should be possible to join the UCS system in member mode via VPN - althought I am not aware of other equal customer scenarios.
I would be glad if you could give me some feedback here!
Regards,
Tim Petersen
Just for clarification: It is currently not possible to join an UCS System as a second Active Directory Domaincontroller to an existing Microsoft Active Directory. The member mode joins the UCS system as a memberserver and synchronizes its LDAP with the Active Directory.
I will try in esxi…
My question is if the ucs acting as member will do autheticantion function when the primary domain isn’t avaiable…
what commands i can run to test if the authentication/passwords are sync in ucs ?
So if i understand, what i want isn’t possible.
With any version of windows server? Zentyal for instance say they can do that with until windows 2008 r2, ucs can’t do it?
I misunderstood, sorry for that.
The UCS system in default member mode will pass through password requests to the Active Directory Domain Controller. If its not online, the auth with AD users will fail.
It is possible to use a password service at the Windows Domain Controller. Password Hashes will be wrote back to UCS LDAP then. Then it depends to the service - auth requests will be possible via ldap bind then, for example. It will not replace logon services or things like that!
The member mode is ideal for expanding an AD domain with applications that are available on the UCS platform. Apps installed on the UCS platform can then be used by the users of the AD domain. The authentication is still performed against native Microsoft AD domain controllers.
A complete Active Directory setup with multiple Domaincontrollers is only possible if all systems (at least the primary domain controller) are UCS systems.
Regards,
Tim Petersen
I’m now blocked in the password sync, i don’t know how to do “After the installation the replication of password hashes has to be activated.”
I install the service and everything but the passwords sync isn’t working…
I only need a box that can do authentication when the primary domain is down, that should be < 2% of the time…
Zentyal announce they can do that, but only until 2008r2 server, and our vm in azure is 2012r2, and even more important, ucs is better than zentyal in my opinion.
So @Petersen if i understand and to close the thread, that can’t be done, ucs can’t be configure to allow users login to computers if the primary domain isn’t avaiable, they will always get the “no logon server available”
[quote=“codedmind”]
So @Petersen if i understand and to close the thread, that can’t be done, ucs can’t be configure to allow users login to computers if the primary domain isn’t avaiable, they will always get the “no logon server available”[/quote]
UCS can’t be joined as Backup DC to a native Active Directory, because this is currently not supported completely by samba (sysvol repl, etc.) - that’s why this is not in our focus at the moment.
Ok i managed it with zentyal.
Scenario
windows server 2008r2 as PDC
zentyal 4.1 as SDC
Add win7 computer to domain, reboot computer!
Disable windows server 2008r2 ethernet network
Turn on win7 computer, login with user from ad for the first time.
confirm that he logon server is the zentyal server!
so this is possible with samba… i must go with zentyal to solve my problem.
Thanks again @Petersen
Hi CodeMind, just to be sured I understand your last post. Using zentyal you could have a second “Active Directory Domain Controller”, is that correct?
Hello, yes.
I don’t pass it to prodution with zentyal, but with zentyal i have manage that
Hey, just want to double check that UCS DC cannot be added as a new DC to an existing Windows based AD. It was my understanding that UCS provides directory services implemented in Samba. This page wiki.samba.org/index.php/Join_a … _Directory says that Samba DC can work as an additional DC for Windows Active Directory. Why then UCS can’t do the same?
The statement of Petersen - who was member of the Univention support team at the time of writing - mentioned that one of the reasons is the lack of functionality in Samba, especially referring to Sysvol Replication.
The linked Samba-Wiki SYSVOL replication stiil states:
So I would conclude that there is no change.
Hello,
Anyone from UCS can make situation point as of “today”, any plan for UCS 5?
For instance we have o365 connector, but if we want use azure protention information will it be possible havin UCS on premises?
I’m not a Univention employee and can only comment on the current status which remains unchanged: there’s still no sysvol replication mechanism that works between Samba-based and Windows-based AD DCs. Therefore running both types at the same time won’t work properly.
@Moritz_Bunkus Thanks for your reply, but i think will be helpfull if someone in UCS reply, considering the UCS 5 roadmap etc…
Is a pitty that others have that and UCS still not 
I’m curious. Which Samba-based distribution allows operating Samba AD DCs and Windows AD DCs in the same domain? And how do they solve the sysvol sync problem?
@Moritz_Bunkus Zentyal… the one that i refer in the begin in the post, is now gain a new life… and promote that information again. In the past i try it and it works fine with older windows versions, that i take the bullet and pick UCS with the expectation that UCS will also have that feature
I just had a look at Zentyal’s official documentation, and they officially state:
Limitations
…
GPOs will not be synced, but this can be workarounded manually following the official Samba documentation
So no, they do not support running Windows + Samba AD DCs in the same domain any better than Univention does.
@Moritz_Bunkus well… that is a point of view… UCS states that isn’t possible to add a UCS Samba DC to an existing Windows DC… zentyal tells otherwise, https://zentyal.com/news/how-to-zentyal-as-an-additional-domain-controller-of-a-windows-domain-video-tutorial/
Maybe UCS tells that isn’t supported to avoid workarounds and zentyal tell how to do it?