cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1690
Views
0
Helpful
3
Replies

ACS 5.2 - AD integrate with single doamin name with multiple ADs

pemasirid
Level 1
Level 1

Hi,

We having ACS version 5.2 0.26 with Active/Standby. We need to integrate active directory with ACS. Domain name given by Server team was as xyzcompy.local. When I tried to resolve the same domain name I got five servers ip address against the same domain name. however we given the ip reachability to only for two servers. We we try to save we get error saying that "Can not resolve the network address".

So my questions are;

- does ACS should have ip reachaibility to all five servers

- does the username/password we entered in the ACS should have domain admin rights?.

- the given AD is configured with windows NTP (time.windows.com) but when we configured ACS as windows NTP it was taking  local server as active NTP..?

When we check the ACS logs, we saw the following error;

in acsLocalStore:

AdminName=acsadmin, DomainName=qatarconvention.local, ADOperationResult=unable to create secured connection against AD server\, switching to non-secured connection. javax.naming.CommunicationException: simple bind failed: qnccad02.xxxxconvention.local:636 [Root exception is java.net.SocketException: Connection reset],

in ACSADAgent;

32484]: INFO  dns.findsrv FindSrvFromDns failed: res_query failed _ldap._tcp.xxxxconvention.local

Sep  4 12:43:20 acs01-cc4 adjoin[32484]: INFO  cli.adjoin Join to domain 'xxxxconvention.local', zone 'null' failed.

I attached some screen print which saw the error and output of nslookup for the domain name.

Appreciate if some one can give me the correct answers to above in order to resolve this issue.

Thanks in advance.

3 Replies 3

Nicolas Darchis
Cisco Employee
Cisco Employee

It seems that your ACS is not configured with the same DNS server as your laptop ? It cannot resolve any names so .... there's an issue there :-)

In theory, ACS doesn't need all DCs to be reachable. However, in practice, it has been observed to add delays and some issues in particular cases.

The user used to join ACS to the domain needs to have the right to create/delte/modify computer objects in the domain. The exact rights are given in the ACS config guide, identity store chapter, "AD" paragraph.

I have to admit that I didn't understand anything about what you explain regarding NTP :-)

Hi NIcolas,

Thanks for your response. I have explained the issue with server guys. I'm not sure what changes they did, but now I'm getting the answer with all the available servers in the same domain when I did nslookup with the domain name in ACS cli. but ACS has only reachability to two servers out of all it answered servers (06 out of 02).

(as attached). However still I'm still failing when I try to join to domain in the ACS saying "can not resolve the network address".

So now what could be the issue, as I mentioned earlier, does ACS needs to have ip reachability to all the available servers?. other than that I dont see any other issues relared to this problem...?

Thanks

Since your DNS guys seem like funny guys, it's not impossible that they don't return SRV records.

What ACS relies on is a SRV query type towards the domain name and it returns the services present in the domain.

Please make sure that this is returned.