Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
484
Views
0
Helpful
3
Replies

ACS 3.3.3 with win2003 domains

christine.tan
Level 1
Level 1

‎06-01-2006 06:55 PM - edited ‎03-10-2019 02:36 PM

Hi all,

The customer have a Win 2003 domain (A) and a trust established with another Win

2003 domain (B). Domain A is the one with the CiscoSecure software ( ACS v3.3.3 ). These two domains are both pure win2003 mode.

But when trying to "add mappings" for this new 2003 Domain (B), I

continually am getting "failed to enumerate Windows groups. If you are

using Active Directory consult the installation guide for information."

I am not able to see domain B's users and groups from within the Ciscoe

Secure software.

However, if I use Active Directory Users and Computers from Domain A,

and "connect to domain" and choose Domain B, I am able to view all

users and groups just fine.

Do you know if there is a problem with configuring two 2003 domains in

this software? Do you have any other areas that I should investigate?

Some local policy on Domain B?

Thanks & Regards,

Terry.

Labels:
0 Helpful
3 Replies 3

globalnettech
Level 5
Level 5

‎06-02-2006 02:28 AM

Hello Terry,

this is a link to an excerpt from the ACS Troubleshooting Guide, you might want to check the things mentioned here. Scroll down to page 630 (or page 16 in Acrobat Reader);

http://www.ciscopress.com/content/images/1587051893/samplechapter/1587051893content.pdf

HTH,

GNT

0 Helpful

AnuragKhare
Level 1
Level 1

‎06-02-2006 10:21 AM

hi terry,

i had this issue a couple of weeks back & this is certainly achievable, but most of the heavy lifting to be done is actually on the w2k3 side.

using two Windows 2003 Enterprise servers in two different forests & domains, you can map groupA from domainA in forestA to ACS Group1 & groupB from domainB in forestB to ACS Group2. the key is to have a full 2-way transitive trust [I tested using forest-wide trust] between the two domains for the ACS to be able to enumerate windows groups from both domains.

you also need to ensure that the CS__ services run as a domain user's a/c, rather than Local Service. i created a dummy usr in AD & granted it the appropriate privileges in both domains. a reboot or two later [to force the group policies to update], and the 2 way trust validated, i stopped getting the 'failed to enumerate windows groups'.

i don't have my notes on me, but this is just to let you know this's possible. caveats: i tested using acs4, but i'm pretty on the sure side that this can also be done using acs3.3 since they the AD db query driver still functions similarly across domains [again, because this is a windows thing, not acs as much].

good luck.

0 Helpful

christine.tan
Level 1
Level 1
In response to AnuragKhare

‎06-04-2006 07:47 PM

Hi globalnettech & AnuragKhare,

Thanks for your kindly help. Actually, i have done according to what you said, but it is still not work fine. I wonder whether i should install acs on domain controller server?(Now, acs is installed on a member server.)

Terry.

0 Helpful
Customers Also Viewed These Support Documents