Hi Federico,

Thanks for take care about my question, but I already solved it. Maybe I did not explain myself well. The problem was that I could not see the Group List on the ACS (Users and Identity Stores > External Identify Stores > Active Directory > Directory Groups) when I used that path to find the groups created on the Win Server AD the list was empty.

I did some test on the ACS config synchronizing it with a Win Server 2003 and it worked perfect, so the problem should be on the Win server 2008 configuration, and actually it was. On the Win Server 2008 AD role, there is an option named Microsoft Identity Management for UNIX (in Win Server 2003 seems to be enable by default on the AD installation) and "voila" problem solved, the AD database is publicized on the ACS.

Anyways, thanks for the debugging tips i did not know about that.

Regards

Jose.

I have the problem again. The components used are:

A. Cisco ACS 5.2 Virtualized on VMWare and with the Demo License (valid for 90 days).

B. Windows Server 2008 Enterprise Edtion  (x64)

     This server runs: DNS, AD, CA.

     NTP service (Meinberg NTP software) this machine is used by the devices as NTP server to sync.

I did the next:

1. I Created 12 users and Assigned to 3 groups on Win AD (Employees, Engineers, Outsourcing)

2. I registered the ACS 5.2 IP on the DNS.

3. Under "Users and Identity Stores > External Identify Stores > Active Directory > General" I've test the domain connection using a Username and Password with privileges and the "test connection" was successful. Then I Saved Changes and the Joined Domain was correct and the Connectivity Status appeared as CONNECTED.

4. The I go to "Users and Identity Stores > External Identify Stores > Active Directory > Directory Groups" and when I click on Select the pop-up window show this information:

     Search Base DN DC=sona,DC=lab (which is Correct), but does not show any group from the AD database.

I've looked for these kinds of issues on the web, but the information about application using ACS 5.X and Win Server 2008 is almost inexistent.

Thank you for pinging back on this one Jose.

At this stage I'd guess that the fastest way to isolate the issue would be through some logs on ACS:

1. Log in to the ACS command line and enable the following debugs:

admin# acs-config

Escape character is CNTL/D.

Username:

Password:

acsadmin(config-acs)# debug-adclient enable

acsadmin(config-acs)# debug-log mgmt level debug

acsadmin(config-acs)# debug-log runtime level debug

2. Recreate the issue a couple of times by trying to list the AD groups in the authentication rule and even by trying to list them under

Users and Identity Stores > External Identify Stores > Active Directory > Directory Groups > select...

3. Take note of the time stamp when you recreate the issue and then collect the ACS support bundle from the Monitoring & Report Viewer, under

Troubleshooting > ACS Support Bundle

Please be sure of collecting the support bundle while checking the following options:

Encrypt Support Bundle = Unchecked

Include full configuration database = Unchecked

Include debug logs = All

Include local logs = All

Include core files = All

Include monitoring and reporting logs (all categories checked) = Include files from the last 1 day

Also, please communicate the time stamp when the issue is observed, so that we can track it faster in the logs.

Regards,

Fede

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Jose, how are you going with this, any progress?  I'm in the middle of troubleshooting ACS 5.2 (v5.2.0.26.3) with Win 2008 R2 AD, and I'm getting a lot of strange results - groups missing, status "disconnected" etc.

Soon I will post the full details of the problem but I'd be interested to hear if you ever resolved the issues above.

Thanks

Rob

Hi Rob,

Actually I stop working on this issue with Win Server 2008, I started to working with Win Server 2003 again. I had no time to do the Debugs that Federico Request to validate the ACS behaviour.

Once Again, I only had problems with the Active Directory, the connection works the synchronization seems to work but when I look for the groups or the users the ACS does not show anything.

Could you please update this post in case you find a solution??

Thakns and Regards,

Jose.

Hi Fede,

We are having the very same issue as listed above (and the same configuration), unfortunately we may not be in a position to use a 2003 server in our Windows 2008 infrastructure due to recent policy changes.

Do you know whether this is a common issues with Windows 2008 R2?

First thing to check is your ACS hostnames.  Are they longer than 15 characters?  This is what caused all the trouble for us, after a rebuild to shorter 15 chars-or-less ACS hostnames, everything worked fine.

Of course, make sure that DNS is set up correctly and NTP is in sync too.

I'd also suggest NOT using 5.2.0.44.3, we;re running reliably on 5.2.0.44.2 and I wouldn't patch it beyond this unless really forced to.

Best of luck,

Rob

Hi Rob,

Yeah we ensured that NTP was in sync and DNS appeared to be setup correctly, ACS name was 14 characters....

However we are running version 5.2.0.26, I cant see any other version apart from this for the ACS appliance?

Hi Stephen,

Patch bundles, suggest you download patch bundle 2.  Also, sorry, I did mean 5.2.0.26.2 (not 5.2.0.44.2).

You need to d/l 5-2-0-26-2.tar.gpg and patch appropriately.

Did a computer account for the ACS turn up in AD when you joined the domain?

Do you have nested groups or groups with odd characters in AD?  ACS hates nested groups (e.g. global groups inside global groups or whatever) and I also saw it have a tantrum when we tried to enumerate a group with a hash in the name.

Can you ping the domain name (e.g. ping myactivedirectorydomain.org) from the cli?

Nslookup all the DC's?

Further to that, from the cli run a "tech dumptcp" and have a look at what is really going on.

Good luck,

Cheers

Rob

Hi Rob,

Got it working in the end, it was related to the patch, however applying the patch did not seem to fix it. I changed the NETBIOS name of the AD server and I think this may have upset ACS.  Reinstalled the ACS server and works like a treat.

Really appreciate all your help in this matter.

Cheers

Steve