Solved: how ACS communicate with DomainController in different DCs?

Michael Jiang · ‎01-06-2016

Dear,

Our company has 4 ACS, version is 5.3, one is primary and other three are secondary.

They are in different DC, and I don't know which Domain Controller they communicate, how to check it and how to configure ACS5.3 to communicate dedicated DomainController?

Thanks,

Michael

Jatin Katyal · ‎01-07-2016

Michael,

Can you try this and see how it goes:

You can run the following command in the CLI of the ACS in the ACS
configuration mode -

acs/admin# acs-config

Escape character is CNTL/D.
Username: <GUI username>
Password: <GUI Password>

ACS/acsadmin(config-acs)# ad-agent-configuration dns.dc.<domain-name>.com <hostname1> distribute

You may see an issue with the command format. I haven't personally tested this lately on ACS 5.3.

Note# using this will force the ACS to authenticate only using that specific DC. If the DC
becomes unreachable, you would have to run this command to point the ACS to another DC.

Also, this would require a restart to the services.

http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-3/command/reference/cli/cli_app_a.html#pgfId-2105448

Open TAC case if you're not comfortable running the above command.

- Jatin

~Jatin

View solution in original post

Javier Henderson · ‎01-07-2016

Michael,

ACS will do a DNS query to find the domain controllers for the domain to which it's bound, and pick one from the list using sites and services.

The GUI does not let you hard-code ACS to a single (or set of) DC, it's possible to do that but it requires access to the filesystem. It's not recommended, but you can open a case with us if you insist in going this route.

Michael Jiang · ‎01-07-2016

Hi Javier,

Thanks for your answer and recommendation.

The same question to you that I asked Jatin.

- Michael

Jatin Katyal · ‎01-07-2016

Michael,

Can you try this and see how it goes:

You can run the following command in the CLI of the ACS in the ACS
configuration mode -

acs/admin# acs-config

Escape character is CNTL/D.
Username: <GUI username>
Password: <GUI Password>

ACS/acsadmin(config-acs)# ad-agent-configuration dns.dc.<domain-name>.com <hostname1> distribute

You may see an issue with the command format. I haven't personally tested this lately on ACS 5.3.

Note# using this will force the ACS to authenticate only using that specific DC. If the DC
becomes unreachable, you would have to run this command to point the ACS to another DC.

Also, this would require a restart to the services.

http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-3/command/reference/cli/cli_app_a.html#pgfId-2105448

Open TAC case if you're not comfortable running the above command.

- Jatin

~Jatin

Michael Jiang · ‎01-07-2016

Hi Jatin,

Thanks a lot for your detailed explanation. So far I wouldn't run that command and still have following question.

1. If I force the ACS to authenticate only using that specific DC, whether it means all ACS instances will only can use them, and couldn't use other and nearest Domain Controller?

2. How ACS pick Domain Controller from its list and based on which mechanism? Is there any document I can have a look?

- Michael

Jatin Katyal · ‎01-07-2016

No worries!

1. The settings will only be applicable for the ACS you will make changes on. It won't impact other ACS instances.

2. This should answer you questions:

https://supportforums.cisco.com/discussion/11598191/force-acs-v5-join-domain-certain-domain-controller

The mechanism it uses is to see if it can reach DNS using both UDP and TCP. Next it does a _ldap._tcp. DNS query for the domain to find the DC. It then checks to see if it can reach the DC on the ports needed to communicate with AD. Documented in ACS user guide.

-Jatin

~Jatin