Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9446
Views
5
Helpful
9
Replies

ACS 5.4 - not able to join AD domain

dal
Level 3
Level 3

‎08-13-2013 10:12 AM - edited ‎03-10-2019 08:45 PM

Hi.

I'm having trouble joining the ACS 5.4 to an Windows Server 2012 AD domain.

When I use the Test connection, everything is green.

But when I try to join, I get this error:

Failed During Join [Error while configuring Active Directory: Cannot  open file /var/centrifydc/previous/kset.domain: No such file or  directory due to unexpected configuration or network error.Please try  the --verbose option or run 'adinfo --diag' to diagnose the problem.Join  to domain 'gaasdal.net', zone 'null' failed.]

I have tried to use the adinfo and adcheck cli commands, but I'm not able to use them properly. I always get an error when trying to put in options.

A simple adcheck gives me this, though:

ACS-Malaga/admin# acs troubleshoot adcheck gaasdal.net

This command is only for advanced troubleshooting and may incur a lot of network traffic

Do you want to continue?  (yes/no) yes

OSCHK    : Verify that this is a supported OS                          : Pass

PATCH    : Linux patch check                                           : Pass

PERL     : Verify perl is present and is a good version                : Pass

SAMBA    : Inspecting Samba installation                               : Pass

SPACECHK : Check if there is enough disk space in /var /usr /tmp       : Pass

HOSTNAME : Verify hostname setting                                     : Pass

NSHOSTS  : Check hosts line in /etc/nsswitch.conf                      : Pass

DNSPROBE : Probe DNS server 192.168.100.80                             : Pass

DNSCHECK : Analyze basic health of DNS servers                         : Warning

         : Only one DNS server was found in /etc/resolv.conf.

         : At least one backup DNS server is recommended for

         : enterprise installations.

         : Only one good DNS server was found

         : You might be able to continue but it is likely that you

         : will have problems.

         : Add more good DNS servers into /etc/resolv.conf.

WHATSSH  : Is this an SSH that DirectControl works well with           : Pass

SSH      : SSHD version and configuration                              : Note

         : You are running OpenSSH_5.3p1, CiscoSSL 0.9.8r.1.3.

         :

DOMNAME  : Check that the domain name is reasonable                    : Pass

ADDC     : Find domain controllers in DNS                              : Pass

ADDNS    : DNS lookup of DC kari2012.gaasdal.net                       : Pass

ADPORT   : Port scan of DC kari2012.gaasdal.net                        : Pass

ADDNS    : DNS lookup of DC kari2013.gaasdal.net                       : Pass

ADPORT   : Port scan of DC kari2013.gaasdal.net                        : Pass

ADDNS    : DNS lookup of DC kari2012.gaasdal.net                       : Pass

GCPORT   : Port scan of GC kari2012.gaasdal.net                        : Pass

ADDNS    : DNS lookup of DC kari2013.gaasdal.net                       : Pass

GCPORT   : Port scan of GC kari2013.gaasdal.net                        : Pass

ADGC     : Check Global Catalog servers                                : Pass

DCUP     : Check for operational DCs in gaasdal.net                    : Pass

SITEUP   : Check DCs for gaasdal.net in our site                       : Pass

DNSSYM   : Check DNS server symmetry                                   : Pass

ADSITE   : Check that this machine's subnet is in a site known by AD   : Pass

GSITE    : See if we think this is the correct site                    : Pass

TIME     : Check clock synchronization                                 : Pass

ADSYNC   : Check domains all synchronized                              : Pass

1 warning was encountered during check. We recommend checking this before proceeding

I have also tried adding the ACS manually in AD, but no use.

What could be wrong?

Any ideas?

Thank you.

Labels:
0 Helpful
9 Replies 9

Tarik Admani
VIP Alumni
VIP Alumni

‎08-13-2013 07:40 PM

Hi,

Do you have patch 2 installed? Here is the compatibility matrix for ACS 5.4 and AD versions -

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/device_support/sdt54.html#wp71115

Here is the release notes as well -

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/release/notes/acs_54_rn.html#wp257803

To find the patch version it is best to ssh into the appliance and issue a show version.

Thanks

Tarik Admani
*Please rate helpful posts*

0 Helpful

dal
Level 3
Level 3
In response to Tarik Admani

‎08-13-2013 10:49 PM

Hi, and thanks for answering.

I'm on version:

Patches :                                                                                                                             5-4-0-46-4

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee

‎08-14-2013 03:50 AM

This is a known issue.

CSCuh14898    ACS 5.4 Patch 2 fails to join AD Domain

Description: Customer installed ACS 5.4 with Patch 2,  import the backup from ACS 5.3.  It failed to join the domain.

Got:

Failed During Join [Error while configuring Active Directory: Cannot open file /var/centrifydc/previous/kset.domain: No such file or directory due to unexpected configuration or network error.Please try the --verbose option or run 'adinfo --diag' to diagnose the problem.Join to domain 'unitopr.unitint.test .statefarm.org' ;, zone 'null' failed.

Symptom:

ACS Can not join the domain

Conditions:

ACS 5.4 Patch 2

Workaround:

The workaround suggested to manually remove /var/centrifydc/previous folder completely (rm -rf /var/centrifydc/previous) before trying to adjoin. Don't have the chance to try because customer reimage the box, it works.

More Info:

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

dal
Level 3
Level 3
In response to Jatin Katyal

‎08-14-2013 12:54 PM

Hi, and thank you for answering.

But how do I access the files located in the linux core, such as the /var dir?

Thanks

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to dal

‎08-14-2013 12:55 PM

TAC will need to do this for you.

Tarik Admani
*Please rate helpful posts*

0 Helpful

dal
Level 3
Level 3
In response to Tarik Admani

‎08-15-2013 01:24 PM

Bah, I just did a reinstall instead.

I have to redo some configuration, but at least the AD connection works fine now.

Thank you anyway.

0 Helpful

jwarmoth78
Level 1
Level 1

‎09-17-2013 11:28 AM

Same issue on a fresh VM install of ACS 5.4.0.46.4.  Attemtping to joing with domain admin and enterprise admin accounts.  DNS resolution is fine throughout the lab/AD environment.  DC is 2008 R2 SP1

"Failed During Join [Error while configuring Active Directory: Cannot  open file /var/centrifydc/previous/kset.domain: No such file or  directory due to unexpected configuration or network error.Please try  the --verbose option or run 'adinfo --diag' to diagnose the problem.Join  to domain 'nerdlab.local', zone 'null' failed.]"

Cisco ACS VERSION INFORMATION

-----------------------------

Version : 5.4.0.46.4

Internal Build ID : B.221

Patches :

5-4-0-46-4

acs01/admin# acs troubleshoot adcheck testlab.local

This command is only for advanced troubleshooting and may incur a lot of network traffic

Do you want to continue?  (yes/no) y

OSCHK    : Verify that this is a supported OS                          : Pass

PATCH    : Linux patch check                                           : Pass

PERL     : Verify perl is present and is a good version                : Pass

SAMBA    : Inspecting Samba installation                               : Pass

SPACECHK : Check if there is enough disk space in /var /usr /tmp       : Pass

HOSTNAME : Verify hostname setting                                     : Pass

NSHOSTS  : Check hosts line in /etc/nsswitch.conf                      : Pass

DNSPROBE : Probe DNS server 192.168.1.131                              : Pass

DNSCHECK : Analyze basic health of DNS servers                         : Warning

         : Only one DNS server was found in /etc/resolv.conf.

         : At least one backup DNS server is recommended for

         : enterprise installations.

         : Only one good DNS server was found

         : You might be able to continue but it is likely that you

         : will have problems.

         : Add more good DNS servers into /etc/resolv.conf.

WHATSSH  : Is this an SSH that DirectControl works well with           : Pass

SSH      : SSHD version and configuration                              : Note

         : You are running OpenSSH_5.3p1, CiscoSSL 0.9.8r.1.3.

         :

DOMNAME  : Check that the domain name is reasonable                    : Warning

         : The Active Directory domain name testlab.local may cause

         : resolution problems with the operating system domain

         : name server. We strongly suggest you do not use .local

         : as the last component in your Active Directory domain name.

         : If you must, please see the release notes for your operating

         : system and ensure you have disabled multicast DNS.

ADDC     : Find domain controllers in DNS                              : Pass

ADDNS    : DNS lookup of DC labdc.nerdlab.local                        : Pass

ADPORT   : Port scan of DC labdc.nerdlab.local                         : Pass

ADDNS    : DNS lookup of DC labdc.nerdlab.local                        : Pass

GCPORT   : Port scan of GC labdc.nerdlab.local                         : Pass

ADGC     : Check Global Catalog servers                                : Pass

DCUP     : Check for operational DCs in nerdlab.local                  : Pass

SITEUP   : Check DCs for nerdlab.local in our site                     : Pass

DNSSYM   : Check DNS server symmetry                                   : Pass

ADSITE   : Check that this machine's subnet is in a site known by AD   : Pass

GSITE    : See if we think this is the correct site                    : Pass

TIME     : Check clock synchronization                                 : Pass

ADSYNC   : Check domains all synchronized                              : Pass

2 warnings were encountered during check. We recommend checking these before proceeding

0 Helpful

Marc Rousseau
Level 1
Level 1
In response to jwarmoth78

‎10-15-2013 04:23 AM

We've got the same problem :

Error while configuring Active Directory: Cannot open file /var/centrifydc/previous/kset.domain: No such file or directory due to unexpected configuration or network error.Please try the --verbose option or run 'adinfo --diag' to diagnose the problem.Join to domain 'our.domain', zone 'null' failed.

Cisco ACS VERSION INFORMATION

-----------------------------

Version : 5.4.0.46.3

Internal Build ID : B.221

Patches :

5-4-0-46-3

When running "acs troubleshoot adcheck our.domain" everything is OK

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to Marc Rousseau

‎10-15-2013 12:48 PM

Since patch 5 is available and as per bug the issue has been addressed in patch 5, please apply it.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful
Customers Also Viewed These Support Documents