Solved: ACS DC discovery failure

ViktorVik36163 · ‎11-19-2019

We have two ACS 5.8.1.4 servers, working in replication, and 6 Domain Controllers. The project plans provide for the integration of ACS servers with only two of the 6 DCs.

After configuration, ACS primary and secondary are joined and connected with 2 of the 6 domain controllers. Tab Users and Identity Stores > External Identity Stores > Active Directory display all 6 DC hosts after running ACS AD troubleshooting test in web gui.

ACS periodically generates logs “DC discovery failed” (see screenshot). We assume that ACS generates errors due to the availability of the remaining 4 DCs.

What is the cause of this error and how to configure ACS not to generate “DC discovery failure” error?

Colby LeMaire · ‎11-20-2019

When ACS or ISE are connected to Active Directory, they behave just like any Windows client. They use DNS to find the closest domain controller (assuming AD Sites & Services is configured properly in AD). It also gets a list of all domain controllers and tests connectivity to them on a regular basis to know which ones are alive for authentication. I don't think you can turn off those messages because if you did, it would apply to all domain controllers and not just specific ones. I assume that there is a firewall or similar blocking access to the other 4 domain controllers. So this will continue to happen.

If you want ISE or ACS to use only 2 specific domain controllers, you can have them configure AD Sites & Services where the 2 domain controllers are in a separate site along with the ACS/ISE management IP addresses. Those entries into Sites & Services can be /32 addresses. Then open up the firewall to the other domain controllers to get rid of the alarms. ISE will then prefer the 2 domain controllers in the same site and will only fail over to the other 4 domain controllers if the first 2 are unavailable.

View solution in original post

Colby LeMaire · ‎11-20-2019

When ACS or ISE are connected to Active Directory, they behave just like any Windows client. They use DNS to find the closest domain controller (assuming AD Sites & Services is configured properly in AD). It also gets a list of all domain controllers and tests connectivity to them on a regular basis to know which ones are alive for authentication. I don't think you can turn off those messages because if you did, it would apply to all domain controllers and not just specific ones. I assume that there is a firewall or similar blocking access to the other 4 domain controllers. So this will continue to happen.

If you want ISE or ACS to use only 2 specific domain controllers, you can have them configure AD Sites & Services where the 2 domain controllers are in a separate site along with the ACS/ISE management IP addresses. Those entries into Sites & Services can be /32 addresses. Then open up the firewall to the other domain controllers to get rid of the alarms. ISE will then prefer the 2 domain controllers in the same site and will only fail over to the other 4 domain controllers if the first 2 are unavailable.

ViktorVik36163 · ‎12-08-2019

A firewall and network access is open for all 6 DCs, but messages are still going. Tests connectivity from ACS to all DCs are OK. So what we need to do to stop those messages?
ACS configured with the ‘ip name server’ command for only 2 of 6 IPs of Domain Controllers (also DNS roles). System shows that 3 ‘ip name server’ is the max value. So how to configure all 6 DNS servers on ACS ?