topic Michael, in Network Access Control

how ACS communicate with DomainController in different DCs?

Michael Jiang — Mon, 11 Mar 2019 06:22:32 GMT

Dear,

Our company has 4 ACS, version is 5.3, one is primary and other three are secondary.

They are in different DC, and I don't know which Domain Controller they communicate, how to check it and how to configure ACS5.3 to communicate dedicated DomainController?

Thanks,

Michael

Michael,

Javier Henderson — Thu, 07 Jan 2016 12:05:41 GMT

Michael,

ACS will do a DNS query to find the domain controllers for the domain to which it's bound, and pick one from the list using sites and services.

The GUI does not let you hard-code ACS to a single (or set of) DC, it's possible to do that but it requires access to the filesystem. It's not recommended, but you can open a case with us if you insist in going this route.

Michael,

Jatin Katyal — Thu, 07 Jan 2016 16:16:09 GMT

Michael,

Can you try this and see how it goes:

You can run the following command in the CLI of the ACS in the ACS
configuration mode -

acs/admin# acs-config

Escape character is CNTL/D.
Username: <GUI username>
Password: <GUI Password>

ACS/acsadmin(config-acs)# ad-agent-configuration dns.dc.<domain-name>.com <hostname1> distribute

You may see an issue with the command format. I haven't personally tested this lately on ACS 5.3.

Note# using this will force the ACS to authenticate only using that specific DC. If the DC
becomes unreachable, you would have to run this command to point the ACS to another DC.

Also, this would require a restart to the services.

http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-3/command/reference/cli/cli_app_a.html#pgfId-2105448

Open TAC case if you're not comfortable running the above command.

- Jatin

Hi Jatin,

Michael Jiang — Fri, 08 Jan 2016 02:05:17 GMT

Hi Jatin,

Thanks a lot for your detailed explanation. So far I wouldn't run that command and still have following question.

1. If I force the ACS to authenticate only using that specific DC, whether it means all ACS instances will only can use them, and couldn't use other and nearest Domain Controller?

2. How ACS pick Domain Controller from its list and based on which mechanism? Is there any document I can have a look?

- Michael

Hi Javier,

Michael Jiang — Fri, 08 Jan 2016 02:09:09 GMT

Hi Javier,

Thanks for your answer and recommendation.

The same question to you that I asked Jatin.

- Michael

No worries!

Jatin Katyal — Fri, 08 Jan 2016 06:08:30 GMT

No worries!

1. The settings will only be applicable for the ACS you will make changes on. It won't impact other ACS instances.

2. This should answer you questions:

https://supportforums.cisco.com/discussion/11598191/force-acs-v5-join-domain-certain-domain-controller

The mechanism it uses is to see if it can reach DNS using both UDP and TCP. Next it does a _ldap._tcp. DNS query for the domain to find the DC. It then checks to see if it can reach the DC on the ports needed to communicate with AD. Documented in ACS user guide.

-Jatin