The challenge: Controllable diversity
Based on the good experiences the BfS had had with the free operating system, a Linux-based solution was the preferred option. However, economic considerations also played an important role in the decision-making process as changing the entire server landscape over to Windows would have involved considerable investment costs.
After careful consideration they finally chose the Univention Corporate Server (UCS), the core product of the Bremen-based Linux specialist Univention. From now on, UCS should form the heart of the IT landscape at BfS with its various different locations. After all, the administration of decentralised IT infrastructures is where UCS really shows its strengths. Univention was chosen not only based on its extensive experience in the realisation of Linux solutions in the administrative sector, but particularly because of the professional and comprehensive support and simple communication guaranteed by the company’s headquarters in Germany.
Consequently, Univention Corporate Server has been introduced at all of the authority’s sites. In early 2013 the decision was taken to migrate to UCS Version 3.1 with integrated Samba 4 in order to benefit from the Active Directory functions now available.
Linux-Server, Windows-Clients
The heart of the Univention solution is the central, OpenLDAP-based directory service, which takes over the authentication of the users and client systems at all the BfS’ sites and allows a single sign-on. The LDAP Primary Directory Node at the headquarters in Salzgitter replicates its data both locally and with the UCS Replica Directory Node systems at the different sites in an encrypted form over the network. In their role as a Samba/Active Directory domain controller, the Replica Directory Node function as local login and administration servers. This not only guarantees uniform load distribution, but also offers maximum system stability thanks to the georedundancy, as each site is still able to function autonomously even if the connection to the Primary Directory Node at the headquarters should fail. This is an extremely important feature for an authority which also or particularly has to act in case of nuclear incidents and other unforeseen occurrences.
The UCS environment supports the principle of georedundancy even for the e-mail services, for which the groupware Open-Xchange has been used since the changeover to UCS. Now, e-mail transport occurs decentralised and is no longer dependent on communication with the Primary Directory Node at the headquarters – a decisive advantage compared with the standard, centrally organised Microsoft Exchange scenarios.
The Active Directory functions of UCS also make it possible to mount existing proprietary storage systems from different manufacturers. That is one feature which convinced Dr. Christian Werner, head of the authority’s IT department, that: “In Samba 4 we have finally found a bridging technology which truly allows us to unite the Windows world and the Open Source world. It is important to us because it allows us to use the advantages that a Linux server solution offers and at the same time the system is well received among our employees, as they can continue to use their familiar Windows services and clients.”
While the majority of the servers at BfS run Linux, the client systems predominantly employ Windows. Particularly in terms of the administration of these Windows workstations, UCS with integrated Samba 4 saves the system administrators at BfS a great deal of work. With the new solution, the desktop
computers can also be installed and administrated conveniently and without Windows domain controllers. Group policies mean classic Windows-specific administration mechanisms are also available via Samba/Active Directory and can be administrated via the familiar Microsoft tools of Windows clients.
The dynamic DNS updates mean that mobile clients are also excellently supported. For example, the dynamic assignment gives company laptops a logical host name, so that the system recognises a certain device at any of the sites, even after it has received a new IP address. This is important if the respective employee requires help from the IT support team, for example, and the team needs to
access his device.
In Samba 4 we have finally found a bridging technology which truly allows us to unite the Windows world and the Open Source world. It is important to us because it allows us to use the advantages that a Linux server solution offers and at the same time.
Dr. Christian Werner, Head of IT at BfS
Server consolidation
UCS is not only responsible for central identity management and IT infrastructure management at the Federal Office for Radiation Protection. The complete server package also offers excellent services as DNS and DHCP servers. In addition, the system also harmonises with other distributions employed by the BfS, primarily Oracle Enterprise Linux, as well as numerous specialist applications employed at the BfS based on Oracle, PostgreSQL, MySQL and JBoss.
Outlook
The UCS systems at the BfS are currently implemented as virtual servers. For this purpose, the authority uses the proprietary virtualization software from VMware. The IT department is currently investigating whether a changeover to the free virtualization environment integrated in UCS, Xen and KVM, would make sense from a cost-efficiency perspective.
Summary
The Federal Office for Radiation Protection was not entering new Linux territory with UCS. The authority has already been aware of the flexibility and possibilities for adjustment of the free operating system for a long time and is continuing this tradition with Univention Corporate Server. UCS demonstrates its strengths at the BfS particularly in the central identity and network management – including across different locations – just as it does in the convenient administration of the many Windows client systems. The system harmonises – not just due to the integration of Samba 4 – very well with the other Open Source and proprietary solutions employed and satisfies the authority’s high requirements for high availability, stability, simple administration and georedundancy.
The introduction of UCS at the BfS has shown that it is possible to replace a high-maintenance server landscape built up over the years with a state-of-the-art, high-performance Open Source solution without endangering the stable operation or being dependent on individual manufacturers or service
providers. The changeover of all six sites to the current UCS Version 3.1 took less than a day and a half all told. After over three years of using UCS in his authority, Dr. Christian Werner draws a conclusion which is positive in all aspects: “The Univention solution makes it possible for us to fuse the proprietary Windows world efficiently with the free Linux world and offers us the possibility of benefiting from both worlds equally. The integration of Samba 4 in UCS 3.1 perfected this even further. In addition, I am deeply impressed by how professionally the developers and support staff at Univention work. Without their excellent support, we would surely not have been to realise the changeover of our server management so quickly, smoothly and with such a good results.”
