06-01-2006 06:55 PM - edited 03-10-2019 02:36 PM
Hi all,
The customer have a Win 2003 domain (A) and a trust established with another Win
2003 domain (B). Domain A is the one with the CiscoSecure software ( ACS v3.3.3 ). These two domains are both pure win2003 mode.
But when trying to "add mappings" for this new 2003 Domain (B), I
continually am getting "failed to enumerate Windows groups. If you are
using Active Directory consult the installation guide for information."
I am not able to see domain B's users and groups from within the Ciscoe
Secure software.
However, if I use Active Directory Users and Computers from Domain A,
and "connect to domain" and choose Domain B, I am able to view all
users and groups just fine.
Do you know if there is a problem with configuring two 2003 domains in
this software? Do you have any other areas that I should investigate?
Some local policy on Domain B?
Thanks & Regards,
Terry.
06-02-2006 02:28 AM
Hello Terry,
this is a link to an excerpt from the ACS Troubleshooting Guide, you might want to check the things mentioned here. Scroll down to page 630 (or page 16 in Acrobat Reader);
http://www.ciscopress.com/content/images/1587051893/samplechapter/1587051893content.pdf
HTH,
GNT
06-02-2006 10:21 AM
hi terry,
i had this issue a couple of weeks back & this is certainly achievable, but most of the heavy lifting to be done is actually on the w2k3 side.
using two Windows 2003 Enterprise servers in two different forests & domains, you can map groupA from domainA in forestA to ACS Group1 & groupB from domainB in forestB to ACS Group2. the key is to have a full 2-way transitive trust [I tested using forest-wide trust] between the two domains for the ACS to be able to enumerate windows groups from both domains.
you also need to ensure that the CS__ services run as a domain user's a/c, rather than Local Service. i created a dummy usr in AD & granted it the appropriate privileges in both domains. a reboot or two later [to force the group policies to update], and the 2 way trust validated, i stopped getting the 'failed to enumerate windows groups'.
i don't have my notes on me, but this is just to let you know this's possible. caveats: i tested using acs4, but i'm pretty on the sure side that this can also be done using acs3.3 since they the AD db query driver still functions similarly across domains [again, because this is a windows thing, not acs as much].
good luck.
06-04-2006 07:47 PM
Hi globalnettech & AnuragKhare,
Thanks for your kindly help. Actually, i have done according to what you said, but it is still not work fine. I wonder whether i should install acs on domain controller server?(Now, acs is installed on a member server.)
Terry.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide