Univention Bugzilla – Bug 38090
Fail-safe domain setup
Last modified: 2016-02-12 12:26:20 CET
We have already different hints in the documentation about the domain setup and how to configure multiple LDAP servers, for example: http://docs.univention.de/manual-4.0.html#computers:configureldapserver Nevertheless, we should add a single SDB entry which describes what to do to get a fail-safe setup, for example: - DNS setup (UCR variable nameserver*) - LDAP server (LDAP Server Policy) - Kerberos KDC (dns query) - Samba DCs (Installation of multiple DCs) The manual should link to the article.
@Stefan: Would you please take a look?
Just some short notes: - Please use FQDNs, otherwise it will break the SSL settings - Samba 4: I think we should at least use the App Center / Installer name of the component (Active Directory-compatible Domain Controller) - I would start in the following way (or similar): UCS can be used for single server environments as well as for a domain with hundreds of UCS servers. So, the default configuration does not match every scenario. The following sections will describe how to configure the different services in order to increase reliability. - LDAP - Active Directory-compatible Domain Controller / Samba 4 - Windows-compatible Memberserver - Kerberos - DNS - DHCP
Thx!
* Please use the passive form everywhere. * instructuons * To increase reliablity you can configure additional servers which serves the functionality if the primary LDAP server breaks: → To increase reliablity additional servers can be configured, which will automatically be used if the primary LDAP server breaks: * Note that FQDNs should be used in above UCR? * root@master:~# kerberos/defaults/dns_lookup_kdc: <empty> → missing "ucr search" * reliability other nameservers → reliability additional nameservers * This can be done by installing additional domaincontrollers as Active Directory-compatible Domain Controllers or by just installing the app at additional domaincontrollers (which are already existing). → This can be accomplished by installing additional UCS systems with a system role as domain controller backup or domain controller slave (see http://docs.univention.de/manual-4.0.html#systemrollen) with the "Active Directory-compatible Domain Controller" software component (http://docs.univention.de/manual-4.0.html#installation:software). Existing UCS backup or slave domain controllers just have to install the app from the App Center (http://docs.univention.de/manual-4.0.html#windows:addomain). * missing section on DHCP
Please verify: http://sdb.univention.de/1349
Commit 65886 (+65887) adds a section on "Fault-tolerant domain setup" to the manual. IMHO "fail-safe" should in the SDB article be changed to "fault-tolerant".
(In reply to Daniel Tröder from comment #5) > Please verify: http://sdb.univention.de/1349 Ok, it looks good. I've removed the UCS version from the docs.software-univention.de links. (In reply to Daniel Tröder from comment #6) > Commit 65886 (+65887) adds a section on "Fault-tolerant domain setup" to the > manual. OK