In this article, we look at three specific apps in our portfolio that offer different approaches to optimizing your infrastructure across operating systems:
Active Directory-Compatible Domain Controller
One of the primary challenges in large, diverse environments is seamlessly connecting Windows, macOS, and Linux systems. The Active Directory-compatible Domain Controller app facilitates this integration by bringing out the red carpet for Windows and macOS systems within the domain. It augments the Univention Corporate Server with AD features, leveraging Samba – an open-source software enabling communication between Unix/Linux and Windows/macOS systems.
Upon installation, the app ensures the presence of a second, AD-compatible directory service (Samba) alongside the existing directory service (OpenLDAP) on the UCS server, specifically tailored for Windows systems in the environment. The Univention S4 Connector synchronizes data between these two directory services, ensuring data consistency across all domain controllers. This streamlined organization of network resources significantly simplifies management. Read more on the synchronization between different systems in the blog article “How UCS synchronizes Linux/Windows IT Infrastructures with Samba AD”.
This Samba domain based on Active Directory offers various services in the environment:
- Authentication Service: User accounts and groups are centrally managed via the UCS management system. Windows users receive a Kerberos ticket upon login for further authentication, granting access to domain resources.
- File Services: UCS serves as a file server, providing directories and files across the network. Administrators can conveniently manage shares through the Univention Management Console.
- Print Services: Samba facilitates sharing printers set up under Linux as network printers for Windows and macOS clients. CUPS (Common Unix Printing System) serves as the foundation, with management also streamlined through the UCS management system.
While offering all these services on a single server is feasible, it’s recommended to operate domain controllers and file/print servers on separate UCS machines. Such segregation ensures, for instance, that heavy loads on the file server do not impede authentication service performance.
Active Directory Connection
If you want to operate Univention Corporate Server as a member of an AD domain or in parallel to an AD domain, the Active Directory Connection app is your solution. It sets up an automatic synchronization between Active Directory and UCS while synchronizing directory service objects between a Windows server with AD and the OpenLDAP directory service of UCS.
The Active Directory Connection app provides two distinct operating modes:
- UCS as a Part (Domain Member) of an AD Domain: In this mode, Active Directory remains the primary directory service in your domain, with no alterations to the domain structure. UCS enhances the existing Windows domain with additional functionalities, such as deploying applications installed via the App Center.
- Parallel Operation of Active Directory and UCS Domain(s): User, group, and password objects are automatically synchronized between both domains. Each domain user has corresponding accounts in both UCS and AD domains. Synchronization can be uni- or bi-directional, ensuring seamless access to services across both domains.
Let’s delve deeper into these modes.
UCS as a Member of an Active Directory Domain
In this scenario, UCS becomes a member of an existing AD domain, similar to a new player joining an established team. Active Directory (AD) retains its leading role as the directory service, while the UCS system is integrated into the circle of trust of the AD domain. The benefit? Limited access to AD domain account data, allowing UCS to enrich the AD domain with additional applications while maintaining authentication through native Microsoft AD domain controllers.
Please note that in this mode, UCS cannot operate as an independent AD domain controller. Instead, it retrieves account data from AD and stores it locally in its OpenLDAP directory service. In particular, changes made in UCS are not written back to AD.
This mode is ideal for extending an AD domain with additional UCS platform applications, ensuring seamless access for AD domain users while maintaining authentication through native Microsoft AD domain controllers.
Parallel Operation of AD and UCS Domain
In UCS Active Directory Connector mode, both domains operate independently yet seamlessly exchange information. User and group objects between UCS and AD domains synchronize, with the option for uni- or bi-directional synchronization.
This setup enables users to access services from both domains without repeated logins. During connector setup, UCS entries are converted to AD objects and vice versa, with synchronization occurring automatically every five seconds (adjustable interval).
In case of synchronization failures, the connector retries the affected objects, with a default of ten attempts. Connector restarts also attempt to synchronize postponed changes.
For detailed information on setup, administration, and best practices, please refer to the manual chapters “UCS as a Member of an Active Directory Domain” and “Setup of the UCS AD Connector.”
Active Directory Takeover
The final app introduced in this article is Active Directory Takeover, a practical migration tool. It facilitates the transition of data from an AD domain to UCS, much like moving to a new, modern office. The app meticulously transfers user, group, and computer objects, along with Group Policy Objects (GPOs) and Security Identifiers (SIDs), to the UCS Samba/AD domain environment. Existing Windows clients need not rejoin the domain. Subsequently, you can retire the old AD domain controller.
For a smooth transition to the UCS environment, consider the following steps:
- Time synchronization between UCS and the existing Active Directory.
- Joining the UCS server to the AD domain, officially integrating it into the AD domain.
- Data transfer from AD to UCS OpenLDAP using Samba and the Univention S4 Connector.
- Copying group policy files from the SYSVOL share of the AD server to the UCS server.
- Once all steps have been successfully completed, you can shut down the AD domain controller.
For detailed information on how to migrate an AD domain to UCS using the Active Directory Takeover app, please refer to the corresponding chapter in our manual. Alongside preparation steps, the chapter provides a step-by-step guide to migration and offers tips for final testing.
Successful Networking in Heterogeneous Environments
In today’s exploration of Univention apps, we’ve introduced three key tools that revolutionize computer management in heterogeneous environments. Whether you’re looking to deploy Univention Corporate Server as a standalone domain controller, bridge to an existing Active Directory, or plan a complete migration, we have the perfect solution.
We invite you to get in touch with us and other UCS users. Share your experiences with the featured or other applications, ask questions or simply learn more about Univention Corporate Server and its applications.
Visit our forum Univention Help and become part of our community!
Univention Corporate Server is the ideal mediator in environments with Windows, MacOS and Linux systems.
