01-06-2016 10:00 PM - edited 03-10-2019 11:22 PM
Dear,
Our company has 4 ACS, version is 5.3, one is primary and other three are secondary.
They are in different DC, and I don't know which Domain Controller they communicate, how to check it and how to configure ACS5.3 to communicate dedicated DomainController?
Thanks,
Michael
Solved! Go to Solution.
01-07-2016 08:16 AM
Michael,
Can you try this and see how it goes:
You can run the following command in the CLI of the ACS in the ACS
configuration mode -
acs/admin# acs-config
Escape character is CNTL/D.
Username: <GUI username>
Password: <GUI Password>
ACS/acsadmin(config-acs)# ad-agent-configuration dns.dc.<domain-name>.com <hostname1> distribute
You may see an issue with the command format. I haven't personally tested this lately on ACS 5.3.
Note# using this will force the ACS to authenticate only using that specific DC. If the DC
becomes unreachable, you would have to run this command to point the ACS to another DC.
Also, this would require a restart to the services.
http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-3/command/reference/cli/cli_app_a.html#pgfId-2105448
Open TAC case if you're not comfortable running the above command.
- Jatin
01-07-2016 04:05 AM
Michael,
ACS will do a DNS query to find the domain controllers for the domain to which it's bound, and pick one from the list using sites and services.
The GUI does not let you hard-code ACS to a single (or set of) DC, it's possible to do that but it requires access to the filesystem. It's not recommended, but you can open a case with us if you insist in going this route.
01-07-2016 06:09 PM
Hi Javier,
Thanks for your answer and recommendation.
The same question to you that I asked Jatin.
- Michael
01-07-2016 08:16 AM
Michael,
Can you try this and see how it goes:
You can run the following command in the CLI of the ACS in the ACS
configuration mode -
acs/admin# acs-config
Escape character is CNTL/D.
Username: <GUI username>
Password: <GUI Password>
ACS/acsadmin(config-acs)# ad-agent-configuration dns.dc.<domain-name>.com <hostname1> distribute
You may see an issue with the command format. I haven't personally tested this lately on ACS 5.3.
Note# using this will force the ACS to authenticate only using that specific DC. If the DC
becomes unreachable, you would have to run this command to point the ACS to another DC.
Also, this would require a restart to the services.
http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-3/command/reference/cli/cli_app_a.html#pgfId-2105448
Open TAC case if you're not comfortable running the above command.
- Jatin
01-07-2016 06:05 PM
Hi Jatin,
Thanks a lot for your detailed explanation. So far I wouldn't run that command and still have following question.
1. If I force the ACS to authenticate only using that specific DC, whether it means all ACS instances will only can use them, and couldn't use other and nearest Domain Controller?
2. How ACS pick Domain Controller from its list and based on which mechanism? Is there any document I can have a look?
- Michael
01-07-2016 10:08 PM
No worries!
1. The settings will only be applicable for the ACS you will make changes on. It won't impact other ACS instances.
2. This should answer you questions:
https://supportforums.cisco.com/discussion/11598191/force-acs-v5-join-domain-certain-domain-controller
The mechanism it uses is to see if it can reach DNS using both UDP and TCP. Next it does a _ldap._tcp. DNS query for the domain to find the DC. It then checks to see if it can reach the DC on the ports needed to communicate with AD. Documented in ACS user guide.
-Jatin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide