Solved: ACS HOW TO USE ADINFO

bvj197222 · ‎02-25-2015

Hello,

I need to see which domain Controllers that the ACS is communicating With. I tried;

XXXACS02/admin# acs troubleshoot adinfo --server
This command is only for advanced troubleshooting and may incur a lot of network traffic

Do you want to continue? (yes/no) yes
server1.domain.no

The server1.domain.no is a server located at another location, so I don't think this is the primary server the ACS is talking to. Any other commands that would give the output?

nspasov · ‎02-25-2015

The server location would not matter if default AD and ACS AD configurations are used. Unless something has changed, ACS uses DNS to resolve all of the available domain controllers. You can use the following command to list all of the DCs that ACS is querying:

acs troubleshoot adinfo --test

Then you can use this command to see which one ACS is currently connected to:

admin# acs troubleshoot adinfo -a

This command will also give you the output of the "Preferred Site." You can use this field in your AD environment to control which DCs ACS is using. For more info check this link:

http://blog.priveonlabs.com/sec_blog.php?title=acs-v5-should-be-able-to-query-only-desired-domain-controllers-active-directory-dns-workaround&more=1&c=1&tb=1&pb=1

That link also contains a reference to an ACS defect (CSCte92062) that provides some ACS related confgs that you can use to restrict which DCs ACS is using.

I hope this helps!

Thank you for rating helpful posts!

View solution in original post

nspasov · ‎02-25-2015

The server location would not matter if default AD and ACS AD configurations are used. Unless something has changed, ACS uses DNS to resolve all of the available domain controllers. You can use the following command to list all of the DCs that ACS is querying:

acs troubleshoot adinfo --test

Then you can use this command to see which one ACS is currently connected to:

admin# acs troubleshoot adinfo -a

This command will also give you the output of the "Preferred Site." You can use this field in your AD environment to control which DCs ACS is using. For more info check this link:

http://blog.priveonlabs.com/sec_blog.php?title=acs-v5-should-be-able-to-query-only-desired-domain-controllers-active-directory-dns-workaround&more=1&c=1&tb=1&pb=1

That link also contains a reference to an ACS defect (CSCte92062) that provides some ACS related confgs that you can use to restrict which DCs ACS is using.

I hope this helps!

Thank you for rating helpful posts!

bvj197222 · ‎02-26-2015

Great answer, thanks! One quick question from a rookie; where on the ACS do I create the subnet and edit the site as described in step 3?

Step 3:

After you have allowed enough time for replication, Disjoin & Rejoin ACS to the Domain. This step will rejoin ACS to the appropriate Domain Controller

Create a subnet: 192.168.1.0/24

Edit the CLT0 Site & Add the Subnet: 192.168.1.0/24

nspasov · ‎02-26-2015

I believe these are all changes/settings that you have to make on your domain controller.

Thank you for rating helpful posts!

mohanak · ‎02-26-2015

To retrieve the AD join settings and status, use the acs troubleshoot adinfo command in EXEC mode. This command can also be used to retrieve detailed information regarding the domain, users, and domain controllers.

acs troubleshoot adinfo parameter

http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-5/command/reference/cli/cli_app_a.html#pgfId-1149027