3. Domain infrastructure

This chapter covers the infrastructure foundation of a Nubus for UCS domain. A Nubus for UCS domain relies on multiple systems with different roles and responsibilities that work together to provide directory, authentication, and management services.

The Primary Directory Node serves as the central hub of your domain, storing and managing all domain data. To keep your domain available and resilient, you need to understand both the system roles you can deploy and the strategies for protecting against single points of disruption.

System roles

Understand the system roles you can deploy in a Nubus for UCS domain, from the Primary Directory Node that stores all domain data to Backup, Replica, and Managed Nodes. See Understanding system roles.

Domain join

Enable systems to join your Nubus for UCS domain. Learn how UCS, Windows, Ubuntu, and macOS systems join the domain, configure domain join through the command line or management module, and manage join scripts for automated system configuration. See Domain join.

Certificate management

Understand how UCS manages TLS certificates, the built-in CA on the Primary Directory Node, certificate validity monitoring, and renewal procedures. See Certificate management.

Kerberos authentication

Learn how Nubus for UCS uses Kerberos for domain authentication, how the system selects the Key Distribution Center, and how to configure the Kerberos administration server. See Kerberos.

Redundancy and failover for the Primary Directory Node

Protect your domain against disruption to the Primary Directory Node by distributing directory data across Backup and Replica Directory Nodes and by promoting a Backup Directory Node to Primary when needed. See Redundancy and failover for the Primary Directory Node.

Domain activity logging

Record and monitor important domain events including user and object management, app installations and updates, server password changes, domain joins, and system updates using the Admin Diary app. See Domain activity logging.

Listener and Notifier replication

Understand how the Listener and Notifier mechanism replicates directory data across your domain, how transaction-based replication ensures consistency, and how to diagnose and resolve replication issues. See Domain replication with Listener and Notifier.

Contents

• 3.1. Understanding system roles
  • 3.1.1. Primary Directory Node
  • 3.1.2. Backup Directory Node
  • 3.1.3. Replica Directory Node
  • 3.1.4. Managed Node
  • 3.1.5. Ubuntu
  • 3.1.6. Linux
  • 3.1.7. macOS
  • 3.1.8. Domain Trust Account
  • 3.1.9. Windows Domaincontroller
  • 3.1.10. Windows Workstation and Windows Server
  • 3.1.11. IP client
• 3.2. Domain join
  • 3.2.1. Domain join process
  • 3.2.2. How UCS systems join domains
    • 3.2.2.1. Subsequent domain joins with univention-join
    • 3.2.2.2. Join a domain through the management module
    • 3.2.2.3. Join scripts and unjoin scripts
  • 3.2.3. Windows domain joins
    • 3.2.3.1. Windows domain join overview and requirements
    • 3.2.3.2. Supported Windows versions
    • 3.2.3.3. Windows 11
    • 3.2.3.4. Windows 10
    • 3.2.3.5. Windows Server 2012 / 2016 / 2019 / 2022
  • 3.2.4. Ubuntu domain joins
  • 3.2.5. macOS domain joins
    • 3.2.5.1. Domain join on the command line
    • 3.2.5.2. Optional: Mount CIFS shares
• 3.3. Certificate management
  • 3.3.1. UCS built-in certificate authority
  • 3.3.2. Certificate validity
  • 3.3.3. Monitor certificate expiry
• 3.4. Kerberos
  • 3.4.1. How Kerberos works
  • 3.4.2. Kerberos realm
  • 3.4.3. Kerberos implementation in Nubus for UCS
  • 3.4.4. KDC selection
  • 3.4.5. Kerberos administration server
• 3.5. Redundancy and failover for the Primary Directory Node
  • 3.5.1. Fault-tolerant domain setup
  • 3.5.2. Backup to Primary promotion
    • 3.5.2.1. Prepare backup to primary promotion
    • 3.5.2.2. Run the backup to primary promotion
    • 3.5.2.3. Validate the promotion
• 3.6. Domain activity logging
  • 3.6.1. Admin Diary components
  • 3.6.2. View and search diary entries
  • 3.6.3. Set up Admin Diary
    • 3.6.3.1. Install the backend
    • 3.6.3.2. Install the frontend
    • 3.6.3.3. Configure database access for separate hosts
• 3.7. Domain replication with Listener and Notifier
  • 3.7.1. Listener modules
  • 3.7.2. Transaction-based replication
  • 3.7.3. Listener and Notifier troubleshooting
    • 3.7.3.1. Read log files and set debug levels
    • 3.7.3.2. Identify replication problems
    • 3.7.3.3. Reinitialize listener modules