topic Secondary ACS Unable to Join Domain in Network Access Control

Secondary ACS Unable to Join Domain

jlizzio — Mon, 11 Mar 2019 01:38:04 GMT

Hello,

I have two ACS 5.3 servers setup as primary and secondary. The Primary is joined to the domain and works without issue. The secondary server shows as connectivity status:disconnected under the AD configuration. If I test the connection using the username and passwords credentials it is successful.

On the command line when I run the show app status acs command the adclient process results in execution failed.

Any thoughts?

Thanks,

-John

Secondary ACS Unable to Join Domain

camejia — Thu, 22 Dec 2011 22:55:43 GMT

Hello John,

You might want to de-register the secondary ACS from the primary unit. With the secondary as standalone you should delete any references from AD configuration on the ACS Access Services (In Example: AD Group Conditions, AD Attributes), Authorization Profiles, etc.

After removing the AD References on the ACS GUI Configuration please go under the Active Directory configuration and click on "Clear Configuration". NOTE: You might want to confirm that you have the AD account credentials to join the ACS back to the domain.

After clearing the AD configuration we should configure it again from scratch, click on "Test Connection" and if succeded click on "Save Changes".

The ACS should show as Connected and Joined. At this point you can register the unit back to the primary for it to take the secondary role again.

If deeper investigation is needed or the issue persists the best approach would be to open a TAC case.

Hope this helps.

Regards.

Secondary ACS Unable to Join Domain

jlizzio — Tue, 10 Jan 2012 18:58:26 GMT

TAC reviewed our logs and determined that something was corrupt due to the upgrade process from 5.2 to 5.3. I rebuilt the VM as 5.3 and it joined the domain without issue.

-John

Re: Secondary ACS Unable to Join Domain

camejia — Tue, 10 Jan 2012 19:21:18 GMT

Hello,

Cisco Community has become a very helpful forum, however, AD - ACS 5.x issue can become very complex sometimes. TAC involvement might be required on those type of queries. Thanks for the update.

NOTE: Also, I prefer to suggest my customer's to go with a server re-image when upgrading to 5.3 instead of using the "Patch" file. The Patch file can become at handy sometimes when a re-image is not a viable option, however, the re-image will assure a clean installation. A restore of the previous ACS 5.2 database can be performed as well.

Regards

Secondary ACS Unable to Join Domain

mkdccie — Tue, 27 Mar 2012 09:15:42 GMT

Hello,

Is it possible that to rebuild only the adclient, as I'm facing the same problem.

Regards

MKD

Secondary ACS Unable to Join Domain

petr.hon — Tue, 17 Apr 2012 10:18:08 GMT

Hi,

I had the same problem on ACS 5.2 on secondary server. The reason was simple, I did not configured NTP server so there was unsynchronised time with AD domain server.

Secondary ACS Unable to Join Domain

mkdccie — Tue, 17 Apr 2012 10:20:56 GMT

Hi petr,

NTP is working fine, and when I click the "Test" it says "Success".

But the adclient is not running !!

Regards,

MKD

Re: Secondary ACS Unable to Join Domain

Ivan Bermejo Chamorro — Tue, 29 May 2012 19:43:53 GMT

I had same problem when trying to apply a patch with version 5.3.40.5. I had to de-apply patch, de-register backup from main ACS, apply path, and re-register backup with main ACS.

Only after that, adclient executed correctly.

I hope it helps

Secondary ACS Unable to Join Domain

rameshwar.hiwale — Tue, 19 Feb 2013 19:39:40 GMT

Hello All,

We had faced same issue which is resolved by using domain credential to join AD.

Deregister secondary ACS from primary and re-registered. which helped and found everything working fine.

Note : Please always check ACSADAgent.log in such issues.

Thanks petr.hon, I jut

habnercosta — Sat, 15 Mar 2014 05:23:20 GMT

Thanks petr.hon, I jut configured the NTP server and everything works again.