05-21-2013 03:28 AM - edited 03-10-2019 08:27 PM
Hello,
I facing a strange problem with ACS 5.3.0.40.9.
I'm trying to join the ACS to domain without success.The test connection works properly "Connection test to <domain> succeeded" but when i'm trying to save the config i get the error "wrong domain".
These machine was previous in a lab environment and the connection to AD was working fine.Now i'm trying to install it in production environment.
Maybe ACS has cashed information about AD,i cleared "ad-agent-clear-cache" but I'm not able to clear the AD config through CLI,
ACS5(config-acs)# ad-agent-reset-configuration
Performing reset of AD agent configuration , AD agent will be restarted. continue (y/n)?
Unable to restart AD agent. Define AD configuration or check current AD configuration settings
Any thoughts?
Chris.
05-21-2013 05:03 PM
What is the AD setup? Can you please describe how is the AD setup?
What is your domain name? Are you able to execute nslookup for the same from ACS CLI?
Do you see all services running : show application status acs
Please provide me the following debugs from acs-config.
(a)acsadmin(config-acs)# debug-adclient enable
(b) acsadmin(config-acs)# debug-log runtime-idstores level debug
(c) acsadmin(config-acs)# debug-log mgmt-bl level debug
Jatin Katyal
- Do rate helpful posts -
05-22-2013 12:34 AM
Problem solved,i created a new AD user for ACS with administrator rights.
This is strange because it isn't necessary to be administrator.
Thanks for your response.
05-22-2013 01:33 AM
Glad to know. However we don't need admin rights.
From the user guide:
Predefined user in AD. AD account required for domain access in ACS should have either of the following:
•Add workstations to domain user right in corresponding domain.
•Create Computer Objects or Delete Computer Objects permission on corresponding computers container where ACS machine's account is precreated (created before joining ACS machine to the domain).
We recommend that you disable the lockout policy for the ACS account and configure the AD infrastructure to send alerts to the admin if a wrong password is used for that account. This is because if you enter a wrong password, ACS will not create or modify its machine account when it is necessary and therefore possibly deny all authentications.
Jatin Katyal
- Do rate helpful posts -
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide