cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

5100
Views
0
Helpful
7
Replies
dal
Participant
Participant

ACS v5.2.0.26.3 - AD Join/Rejoin/Disconnect Problems

Hi!

I see under the Active Directory tab that the AD Connectivity status is suddenly set to Disconnected.

But if I click the Test Connection button, the result comes back Successful.

So then I'm stuck....

Is there a way to rejoin the ACS into AD?

I have done the usual stuff: rebooting the ACS, checked NTP, rebooted the AD controller.

As a last resort, I have tried to clear the AD config, but I keep getting this message:

This System Failure occurred: This Identity Store is in use and may not be deleted. Remove all references to this store in Policies and Identity Sequences. Your changes have not been saved.

The problem is that I have checked (and rechecked and rechecked again) the configuration, and I cannot find any more references to AD.

Is there a way to FORCE-clear the AD configuration?

Thanks.

7 REPLIES 7
Yudong Wu
Rising star

can you please make sure you have checked all places list below?

There are no policy rules that use custom conditions based on the AD dictionary.

The AD is not chosen as the identity source in any of the available access services.

There are no identity store sequences with the AD.

If yes, try to ssh to the ACS and run the command "acs stop adclient" to see if you can stop AD client. and then you can retart it "acs start adclient" again.

I'm also seeing this problem on 5.2.0.26.1.  Just about to upgrade to 5.2.0.26.3...... will let you know how it goes.

This is not working for me.

I have checked (more like triple checked) all places I can think of, but still the same error.

This is way harder than it should be, IMO

As Yudong Wu said, check your "identity sources" under access policies -> access services -> (access service name) -> identity -> identity source.

That one can catch you out.

Hi, and thanks for answering.

I did check all the said things, but nothing helped.

BUT: I DID manage to get ACS to join another Domain.

What I did was this:

After checking that AD does not exist in any Identity Source Sequences, Policies, etc, I rebooted the server.

After rebooting, I CHANGED the AD settings to another domain.

Don't bother to do the Clear Configuration, I never got that to work.

So the goal was reached in the end

Thanks again.

I'm having the problem now with ACS 5.3.0.40.2. Would you please explain the switching to another domain procedure? I don't have another domain to go to. I attempted to patch to patch 6 & 7 due to known ADclient issue (CSCtx71254) and the issue of ADclient disconnect remained persistent.

I reverted and replaced patches in successive order and there has been no other resolve other than patching from the base to patch 2 (original patch we're at). I have a Cisco Engineer looking into the bundle of logs that I sent them, but have heard from Cisco in about two days.

Any ideas about this ADclient disconnect issue?

Michael
Sent from Cisco Technical Support iPad App

Hi

Please install the latest patch for ACS 5.3 there are a lot of known issues with AD connectivity and ACS pre patch 3. You can check the release notes for the list of resolved caveats... www.cisco.com/go/acs

You can debug this issue by following a doc that i created:

https://supportforums.cisco.com/docs/DOC-26787

This should give you the debugs you need or you can forward your findings over to TAC.

thanks,

Tarik Admani
*Please rate helpful posts*

Content for Community-Ad