UCS server uses it’s machine account (hostname$) to authenticate against windows active directory.
All 21 days, UCS changes its machine account password. Sometimes this step can fail.
You will notice it having an eye on
/var/log/univention/server_password_change.log
and the obvious, univention-adsearch fails and no changes in AD will make it into the UCS system anymore.
UCS store its machine account password in the obvious file
/etc/machine.secret
If the secret still works against AD can be checked with
kinit --password-file=/etc/machine.secret $(hostname)
kinit: Password incorrect
The best solution is to simply change the password for the machine account in windows AD.
Get a powershell as admin and enter:
Set-ADAccountPassword "CN=mailserver,CN=Computers,DC=domain,DC=local" -Reset -NewPassword (ConvertTo-SecureString -AsPlainText „kennwort-aus-/etc/machine.secret“ -Force)