Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1762
Views
7
Helpful
5
Replies

Moving ACS from one domain to another

Go to solution
nikhil_nemade
Level 1
Level 1

‎06-05-2013 08:54 AM - edited ‎03-10-2019 08:30 PM

Hello there,

I am a router/switch/load-balancing person who is new to Cisco ACS management and am now tasked with moving the ACS from one domain (ads.company.com) to another. (corp.company.com).

We are currently running ACS v5.2 and are importing external databases via AD (ads.company.com) and LDAP (corp.company.com). We use ACS for TACACS+ auth for network gear and 802.1x auth for wireless. All users have already been migrated over to the corp.company.domain

I have read through a few books and have familiarized myself with the interfaces, terminology etc.

Could someone please point out what items I need to keep in mind when doing such a migration ?

Appreciate the help.

- Nick

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Atkin
Level 4
Level 4

‎06-05-2013 11:04 AM

Hi Nikhil,

The short story is that there's no such thing as a migration as far as ACS and your requirement is concerned... You will have to delete all references to the AD from your ACS config, leave your current domain, join the new domain, and then re-enter your AD-based config.

If you're lucky, what I've suggested will work, but older versions of ACS are notoriously bad when you changed domains and occasionally need to be re-built from scratch.

Richard

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Richard Atkin
Level 4
Level 4

‎06-05-2013 11:04 AM

Hi Nikhil,

The short story is that there's no such thing as a migration as far as ACS and your requirement is concerned... You will have to delete all references to the AD from your ACS config, leave your current domain, join the new domain, and then re-enter your AD-based config.

If you're lucky, what I've suggested will work, but older versions of ACS are notoriously bad when you changed domains and occasionally need to be re-built from scratch.

Richard

0 Helpful

Go to solution
nikhil_nemade
Level 1
Level 1
In response to Richard Atkin

‎06-05-2013 11:27 AM

Thanks for the quick reply, Richard.

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to nikhil_nemade

‎06-05-2013 11:36 AM

When you clear configuration after deleting all the references from ACS. It will delete all the parameters/object from/ of the previous domain. When you join to a new domain just make sure you have add/delete a computer object on the new domain, DNS and NTP status etc.

As pointed by Richard, there are hell lots of issues with ACS-AD on older versions of ACS.

The most stable version you can upgrade to is 5.3 patch 4 or above.

Jatin Katyal
- Do rate helpful posts -

~Jatin

Go to solution
nikhil_nemade
Level 1
Level 1
In response to Jatin Katyal

‎06-05-2013 01:35 PM

Thanks Jatin.

I double checked the version of the ACS and it is actually 5.3.0.40.6 so hopefully we'll be fine post-change.

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to nikhil_nemade

‎06-06-2013 04:16 PM

Good that you're running the stable version. However, I'd also like to add that with ACS 5.4, you can join the ACS nodes from same deployment to different  AD domains. However, each node can be joined to a single AD domain.

New and added feature.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/release/notes/acs_54_rn.html#wp71092

acs troubleshoot adcheck and ad troubleshoot adinfo

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/command/reference/cli_app_a.html#wp2047632

Jatin Katyal
- Do rate helpful posts -

~Jatin
Customers Also Viewed These Support Documents