11-19-2019 10:57 PM
We have two ACS 5.8.1.4 servers, working in replication, and 6 Domain Controllers. The project plans provide for the integration of ACS servers with only two of the 6 DCs.
After configuration, ACS primary and secondary are joined and connected with 2 of the 6 domain controllers. Tab Users and Identity Stores > External Identity Stores > Active Directory display all 6 DC hosts after running ACS AD troubleshooting test in web gui.
ACS periodically generates logs “DC discovery failed” (see screenshot). We assume that ACS generates errors due to the availability of the remaining 4 DCs.
What is the cause of this error and how to configure ACS not to generate “DC discovery failure” error?
Solved! Go to Solution.
11-20-2019 06:17 AM - edited 11-20-2019 06:18 AM
When ACS or ISE are connected to Active Directory, they behave just like any Windows client. They use DNS to find the closest domain controller (assuming AD Sites & Services is configured properly in AD). It also gets a list of all domain controllers and tests connectivity to them on a regular basis to know which ones are alive for authentication. I don't think you can turn off those messages because if you did, it would apply to all domain controllers and not just specific ones. I assume that there is a firewall or similar blocking access to the other 4 domain controllers. So this will continue to happen.
If you want ISE or ACS to use only 2 specific domain controllers, you can have them configure AD Sites & Services where the 2 domain controllers are in a separate site along with the ACS/ISE management IP addresses. Those entries into Sites & Services can be /32 addresses. Then open up the firewall to the other domain controllers to get rid of the alarms. ISE will then prefer the 2 domain controllers in the same site and will only fail over to the other 4 domain controllers if the first 2 are unavailable.
11-20-2019 06:17 AM - edited 11-20-2019 06:18 AM
When ACS or ISE are connected to Active Directory, they behave just like any Windows client. They use DNS to find the closest domain controller (assuming AD Sites & Services is configured properly in AD). It also gets a list of all domain controllers and tests connectivity to them on a regular basis to know which ones are alive for authentication. I don't think you can turn off those messages because if you did, it would apply to all domain controllers and not just specific ones. I assume that there is a firewall or similar blocking access to the other 4 domain controllers. So this will continue to happen.
If you want ISE or ACS to use only 2 specific domain controllers, you can have them configure AD Sites & Services where the 2 domain controllers are in a separate site along with the ACS/ISE management IP addresses. Those entries into Sites & Services can be /32 addresses. Then open up the firewall to the other domain controllers to get rid of the alarms. ISE will then prefer the 2 domain controllers in the same site and will only fail over to the other 4 domain controllers if the first 2 are unavailable.
12-08-2019 10:06 PM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: