Welcome to our first journey into the world of Univention applications! In
this new blog series, we will regularly present exciting applications from our
App Center. In the first
episode, we focus on three tools for different environments: Whether you're
using Univention Corporate Server as a single domain controller, integrating
the server into an existing Active Directory, or planning to migrate an entire
existing AD domain to UCS – we have the perfect solution for you!
Univention
Corporate Server is the ideal mediator in environments with Windows, MacOS and
Linux systems.
As described in the article “Briefly explained: Samba and Active Directory:
Central Domain Administration” UCS offers
all the necessary tools to seamlessly integrate different operating systems
within a domain.
In this article, we look at three specific apps in our portfolio that offer
different approaches to optimizing your infrastructure across operating
systems:
One of the primary challenges in large, diverse environments is seamlessly
connecting Windows, macOS, and Linux systems. The Active Directory-compatible
Domain Controller app facilitates this integration by bringing out the red
carpet for Windows and macOS systems within the domain. It augments the
Univention Corporate Server with AD features, leveraging Samba – an open-
source software enabling communication between Unix/Linux and Windows/macOS
systems.
Upon installation, the app ensures the presence of a second, AD-compatible
directory service (Samba) alongside the existing directory service
(OpenLDAP) on the UCS server, specifically tailored for Windows systems in
the environment. The Univention S4 Connector synchronizes data between these
two directory services, ensuring data consistency across all domain
controllers. This streamlined organization of network resources significantly
simplifies management. Read more on the synchronization between different
systems in the blog article “How UCS synchronizes Linux/Windows IT
Infrastructures with Samba AD”.
This Samba domain based on Active Directory offers various
services in the environment:
While offering all these services on a single server is feasible, it's
recommended to operate domain controllers and file/print servers on separate
UCS machines. Such segregation ensures, for instance, that heavy loads on the
file server do not impede authentication service performance.
If you want to operate Univention Corporate Server as a member of an AD domain
or in parallel to an AD domain, the Active Directory Connection app is your
solution. It sets up an automatic synchronization between Active Directory and
UCS while synchronizing directory service objects between a Windows server
with AD and the OpenLDAP directory service of UCS.
The Active Directory Connection app provides two distinct operating modes:
Let's delve deeper into these modes.
In this scenario, UCS becomes a member of an existing AD domain, similar to a
new player joining an established team. Active Directory (AD) retains its
leading role as the directory service, while the UCS system is integrated into
the circle of trust of the AD domain. The benefit? Limited access to AD domain
account data, allowing UCS to enrich the AD domain with additional
applications while maintaining authentication through native Microsoft AD
domain controllers.
Please note that in this mode, UCS cannot operate as an independent AD domain
controller. Instead, it retrieves account data from AD and stores it locally
in its OpenLDAP directory service. In particular, changes made in UCS are not
written back to AD.
This mode is ideal for extending an AD domain with additional UCS platform
applications, ensuring seamless access for AD domain users while maintaining
authentication through native Microsoft AD domain controllers.
In UCS Active Directory Connector mode, both domains operate independently yet
seamlessly exchange information. User and group objects between UCS and AD
domains synchronize, with the option for uni- or bi-directional
synchronization.
This setup enables users to access services from both domains without repeated
logins. During connector setup, UCS entries are converted to AD objects and
vice versa, with synchronization occurring automatically every five seconds
(adjustable interval).
In case of synchronization failures, the connector retries the affected
objects, with a default of ten attempts. Connector restarts also attempt to
synchronize postponed changes.
For detailed information on setup, administration, and best practices, please
refer to the manual chapters "UCS as a Member of an Active Directory
Domain" and "Setup of
the UCS AD Connector.”
The final app introduced in this article is Active Directory Takeover, a
practical migration tool. It facilitates the transition of data from an AD
domain to UCS, much like moving to a new, modern office. The app meticulously
transfers user, group, and computer objects, along with Group Policy Objects
(GPOs) and Security Identifiers (SIDs), to the UCS Samba/AD domain
environment. Existing Windows clients need not rejoin the domain.
Subsequently, you can retire the old AD domain controller.
For a smooth transition to the UCS environment, consider the following steps:
For detailed information on how to migrate an AD domain to UCS using the
Active Directory Takeover app, please refer to the
corresponding chapter in our manual. Alongside preparation steps, the chapter
provides a step-by-step guide to migration and offers tips for final testing.
In today's exploration of Univention apps, we've introduced three key tools
that revolutionize computer management in heterogeneous environments. Whether
you're looking to deploy Univention Corporate Server as a standalone domain
controller, bridge to an existing Active Directory, or plan a complete
migration, we have the perfect solution.
We invite you to get in touch with us and other UCS users. Share your
experiences with the featured or other applications, ask questions or simply
learn more about Univention Corporate Server and its applications.
Visit our forumUnivention Help and become
part of our community!
Der Beitrag Univention App Highlights: Top 3 for Heterogeneous
Environments erschien zuerst auf
Univention.