08-16-2013 08:58 AM - edited 03-10-2019 08:47 PM
I have read the release notes and user guide for ACS 5.4 that mentions the capability to join the ACS nodes from same deployment to different AD domains. But each node can be joined to a single AD domain. My question is this ... in a failover situation what does this buy me?
Hypothetical:
I have two sites, each with an ACS and each one has its own AD domain. The ACSs are deployed in a primary/secondary relationship, devices at site A use Site A's ACS as primary for authentication, devices at site B use Site B's ACS as the primary for authentication.
Scenarios:
I'm missing what benefit I have deploying the two ACSs if they cannot both use or access users on both domains. Maybe I'm not understanding something here. Can anybody shed some light on this or point me to a document that might help?
Thanks ...
Solved! Go to Solution.
09-19-2013 10:13 PM
I second you on that fact, it's not very well documented. In almost every deployment,the role of the secondary sever (located at a different site) is to provide full redundancy in the event that the primary ACS server fails.
In your case, if you've both the ACS are joined to two different domains like
Site A (ACS1- Primary) --- Domain A
Site B (ACS2- Secondary) --- Domain B
We've to make sure that Domain A trust Domain B and vice versa because if the secondary server is configured to receive replication from the primary that means the authorization rules will be same on both the ACS. Having Full 2-ways trust between both the domains would allows you to fetch groups of Domain B from ACS 1 and Groups of domain A from ACS 2.
The ONLY advantage of this feature will come in play during authentication. If users of domain B are pointed to ACS2 for authentication, group retrieval time would be lesser if its a direct domain instead of cross domain.
The purpose of redundancy will fail where possibility of 2-way trust doesn't exist. It JUST won't fit right in such deployments.
Hope it adds little more clarification.
~BR
Jatin Katyal
**Do rate helpful posts**
08-27-2013 07:36 PM
To authenticate the user in your given scenarios there must be two way trust relationship between AD then in case of failure user from site A can be authenticated by site B ACS.
09-19-2013 09:17 PM
To authenticate the user in your given scenarios there must be two way trust relationship between AD then in case of failure user from site A can be authenticated by site B ACS.
09-19-2013 10:13 PM
I second you on that fact, it's not very well documented. In almost every deployment,the role of the secondary sever (located at a different site) is to provide full redundancy in the event that the primary ACS server fails.
In your case, if you've both the ACS are joined to two different domains like
Site A (ACS1- Primary) --- Domain A
Site B (ACS2- Secondary) --- Domain B
We've to make sure that Domain A trust Domain B and vice versa because if the secondary server is configured to receive replication from the primary that means the authorization rules will be same on both the ACS. Having Full 2-ways trust between both the domains would allows you to fetch groups of Domain B from ACS 1 and Groups of domain A from ACS 2.
The ONLY advantage of this feature will come in play during authentication. If users of domain B are pointed to ACS2 for authentication, group retrieval time would be lesser if its a direct domain instead of cross domain.
The purpose of redundancy will fail where possibility of 2-way trust doesn't exist. It JUST won't fit right in such deployments.
Hope it adds little more clarification.
~BR
Jatin Katyal
**Do rate helpful posts**
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide