Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2661
Views
5
Helpful
3
Replies

Cisco ACS 5.7 how to change connection to new domain controllers

Go to solution
IB1
Level 1
Level 1

‎07-02-2020 04:38 PM


Hello,
 
How do you change/update the domain controllers the ACS nodes connect to?
 
We are migrating from the old to the new domain controllers. Cisco ACS is already configured to connect to the old domain controller. I want to change the connection to the new domain controllers, but I can't figure out how on the GUI. I looked at the ACS manual and online, but I have not been able to find the answer to my question.
 
Any help is appreciated. Thank you.
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
andrew333
Level 4
Level 4

‎07-02-2020 07:26 PM

IB1 - You configure Active Directory in ACS through the Users and Identity Stores > External Identity Stores > Active Directory menu. Beware that it's not just a case of changing to the new Active Directory though. If I recall correctly, you will need to re-import all the AD groups that are referred to in policies and update them in all the service policies. However, ACS is now end of life so you should really be migrating to ISE as soon as possible. Hope this helps.

View solution in original post

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎07-08-2020 06:14 PM

If you're not joining a different domain and simply want ACS to communicate with a specific Domain Controller as the primary one, this may be something you would just configure in AD Sites & Services.

Unless I'm mistaken, ACS acts the same as ISE when integrated with AD. It joins the domain as a computer account, so it uses AD's built-in mechanisms for determining the order in which to communicate with DCs and what to do in case of a DC failure. Make sure you've added the subnet where ACS resides into your Sites and that your Domain Controllers are setup appropriately in the domain.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
andrew333
Level 4
Level 4

‎07-02-2020 07:26 PM

IB1 - You configure Active Directory in ACS through the Users and Identity Stores > External Identity Stores > Active Directory menu. Beware that it's not just a case of changing to the new Active Directory though. If I recall correctly, you will need to re-import all the AD groups that are referred to in policies and update them in all the service policies. However, ACS is now end of life so you should really be migrating to ISE as soon as possible. Hope this helps.

Go to solution
IB1
Level 1
Level 1
In response to andrew333

‎07-08-2020 05:39 AM

Thank you for the information and the recommendation about migrating. It's helpful.

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎07-08-2020 06:14 PM

If you're not joining a different domain and simply want ACS to communicate with a specific Domain Controller as the primary one, this may be something you would just configure in AD Sites & Services.

Unless I'm mistaken, ACS acts the same as ISE when integrated with AD. It joins the domain as a computer account, so it uses AD's built-in mechanisms for determining the order in which to communicate with DCs and what to do in case of a DC failure. Make sure you've added the subnet where ACS resides into your Sites and that your Domain Controllers are setup appropriately in the domain.

0 Helpful
Customers Also Viewed These Support Documents