cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1462
Views
5
Helpful
6
Replies

Active Directory Redundancy for 2 ACS Systems

Hello Everyone,

I have 2 ACS hardware boxes in 2 different locations. When I bring down one AD server, the ACS associated with that AD server does not switch to the other AD server for user store. In this situation access to the devices gets locked out as the device sees that the ACS is alive and hence does not permit local logins. At the same time because it does not switch to the other AD users too cannot login into the device. To overcome this we created ACS local accounts which solved the problem for that time.

I'm trying to find out the below:

Why does the ACS 5.2 does not move to the other AD when one AD is down?

How do I fix this?

I've attached a powerpoint presentation to further explain this problem.

Help on this is much appreciated.

Thanks,

Rishi

6 Replies 6

Richard Atkin
Level 4
Level 4

I think this improves with ACS 5.4.

If you want to fix it you have to either bring the AD box back online, or un-join / re-join the ACS from the Domain, whichcould do all sorts of bad things to your deployment though (lots of threads available about this)... Upgrading to 5.4 is probably your best port of call if you want any measure of a decent AD/ACS interaction.

Does this mean that the AD systems do not require service type records along with A records pointing to both the AD systems when we use 5.4? Currently both the AD systems ip address are pointing to the domain name but i guess they do not have service type records?

Thanks,

Rishi

Hi Rishi,

The problem you'are experiencing is a known defect where ACS will disconnect and reconnect to the same DC after an RPC failure instead of moving on to a new domain controller as adclient does not recover from an RPC failure with a domain. If you want, you can run the adclient logs at the debug level, let the issue reoccur and execute this command on the ACS CLI show acs-logs filename ACSADAgent.log | inc smbserver. You will see ACS connecting and disconnecting to the same domain controller.

The workaround is to either restart the ACS and/or domain controller. This defect has been fixed in ACS 5.3.0.40 patch 3 and above. However, I would suggest you patch 8.

By default ACS 5.3/5.4 queries DNS for a list of DCs for a given domain. It will poll the DNS for all of the SRV records. This behavior can be overridden by setting or pointed the ACS towards a desired DC's.

If connection attempt to one DC fails then ACS will try to connect to other DCs from the list it retrieves via DNS. Actually ACS 5.3/5.4 knows to sweep / test all DCs from the list and find available/appropriate one. If a DC is not reachable ACS is expected to try the next one.

If currently connected DC becomes unavailable then ACS knows to failover to another DC from the list within approximately 1 minute.

Hope this helps.

Jatin Katyal
- Do rate helpful posts -

~Jatin

Hi Jatin,

Thanks for taking out time for answering this one.

I agree with the points you make. Also, I assume Rich, in his earlier comment is referring to the same. Here is the configuration of the acs systems.

My thoughts are as follows: The domain controller itself is the DNS and the NTP for the said ACS boxes which are running 5.2. So when the AD goes down the DNS also goes down and the ACS is not able switch the DNS and subsequently the AD too. Will it make sense to have the name server configuration a replica of each other instead of having it reverse like the way it is? Or upgrade is the ONLY way forward?

Please let me know

Thanks,

Rishi

Geographic Location 1

hostname GL1

!       

ip domain-name domain.com

!       

interface GigabitEthernet 0

  ip address 100.100.100.222/24

!

ip name-server 100.100.100.100 100.100.200.100

Geographic Location 2

hostname GL2

!       

ip domain-name domain.com

!       

interface GigabitEthernet 0

  ip address 100.100.200.222/24

!

ip name-server 100.100.200.100 100.100.100.100

It's an issues with ad agent. The newer version has the upgraded one. We have to upgrade to acs 5.3 patch 3 or above or acs 5.4

here is a defect, I was talking about:

CSCtu15832    ACS 5.2 will not recover from an RPC failure with a domain controller

Jatin Katyal
- Do rate helpful posts -

~Jatin

Hi Rishi,

Guess, it adds little more clarification and we understand why we need to upgrade the ACS server to resolve this issue.

Jatin Katyal

- Do rate helpful posts -

~Jatin