Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2205
Views
10
Helpful
4
Replies

ACS 5.8 "configured nameserver is down" Alarm

Go to solution
mike-brooks
Level 1
Level 1

‎03-20-2017 06:44 AM - edited ‎03-11-2019 12:33 AM

Hi

Our ACS has begun getting Alarms for "Configured nameserver is down Server=<Primary / Secondary ACS hostname>." The Alarm Details say, "Please check DNS configuration, check corresponding DNS server and domain controller are available."  DNS configuration is correct and DNS servers are available all the time.  This Alarm occurs intermittently (a total of several times / week) at random times of the day on both Primary and Secondary ACS.

This particular alarm started after I upgraded ACS from 5.6 to 5.8 patch 6 back on 1/31/2017.  ACS never got this Alarm on 5.6 or any other previous versions.  ACSs are virtual.

Anybody have suggestions to remedy?

Thanks,

Mike

3 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mike-brooks
Level 1
Level 1

‎02-06-2018 07:08 AM

This problem was caused by ACS trying to use every Active Directory domain ours has a trust with (there are dozens scattered about the globe in our corporation) for authentication.  From ACS 5.8 Help below: "By default, ACS permits authentication against all trusted domains."

 

I need ACS to only use our one AD domain here in the US for all authentications.  By following steps 1, 2 & 3 below and only enabling that one US based AD domain for authentications, I was able to fix the original "configured nameserver is down"problem, as well as restrict ACS to only use the one domain for authentications.

 

From ACS 5.8 Help:

 

Configuring Authentication Domains

If you join ACS to an Active Directory domain, ACS has visibilities to other domains with which it has a trust relationship. By default, ACS permits authentication against all those trusted domains. You can restrict ACS to a subset of authentication domains while interacting with the Active Directory deployments. Configuring authentication domains enables you to select specific domains so that the authentications are performed against the selected domains only. Authentication domains improve security because they instruct ACS to authenticate users only from selected domains and not from all domains trusted from join point. Authentication domains also improve performance and latency of authentication request processing because authentication domains limit the search area (that is, where accounts matching to incoming username or identity will be searched). It is especially important when incoming username or identity does not contain domain markup (prefix or suffix). Due to these reasons, configuring authentication domains is a best practice, and we highly recommended it.

To configure Authentication Domains:

Before you Begin

Ensure that the ACS instance is joined to an Active Directory domain.

 1. Choose Users and Identity Stores > External Identity Stores > Active Directory, then click the Authentication Domains tab.

A table appears with a list of your trusted domains. By default, ACS permits authentication against all trusted domains.

 2. To allow only specified domains, check the check box next to the domains for which you want to allow authentication, and click Enable Selected.

 3. Click Save Changes.

In the Authenticate column, the status of the selected domains are changed to Yes.

 

View solution in original post

4 Replies 4

Go to solution
nicko_64062
Level 1
Level 1

‎05-30-2017 12:14 PM

I have this same issue. We are running 5.8 update 7 and this only started once we updated from 5.8.0.32 to the patch 7. In our logs the Errors state:

"Configured nameserver is down Server=<csacs server name>"

No where in the ACS configurations do we use the name or IP of the csacs server as a nameserver.

Thank you,

Nick

0 Helpful

Go to solution
mike-brooks
Level 1
Level 1
In response to nicko_64062

‎05-30-2017 12:31 PM

Hi Nick,

Thanks for the update.

So based on your experience, it sounds like if I applied patch 7 to our 5.8 patch 6 ACSs, it wouldn't be of any help in fixing this particular issue.

Aside from the "nameserver is down" Alarms, it seems like our ACS is fully functional, so I really don't want to mess with it unless it's a sure fix for this issue, and doesn't then introduce others.

Mike

0 Helpful

Go to solution
nicko_64062
Level 1
Level 1
In response to mike-brooks

‎05-30-2017 01:15 PM

Mike,

It doesn't look like upgrading to patch 7 will fix your issue. From what I can tell there are no negative effects on ACS operations. If someone has a fix action I would be interested in trying to implement.

Nick

0 Helpful

Go to solution
mike-brooks
Level 1
Level 1

‎02-06-2018 07:08 AM

This problem was caused by ACS trying to use every Active Directory domain ours has a trust with (there are dozens scattered about the globe in our corporation) for authentication.  From ACS 5.8 Help below: "By default, ACS permits authentication against all trusted domains."

 

I need ACS to only use our one AD domain here in the US for all authentications.  By following steps 1, 2 & 3 below and only enabling that one US based AD domain for authentications, I was able to fix the original "configured nameserver is down"problem, as well as restrict ACS to only use the one domain for authentications.

 

From ACS 5.8 Help:

 

Configuring Authentication Domains

If you join ACS to an Active Directory domain, ACS has visibilities to other domains with which it has a trust relationship. By default, ACS permits authentication against all those trusted domains. You can restrict ACS to a subset of authentication domains while interacting with the Active Directory deployments. Configuring authentication domains enables you to select specific domains so that the authentications are performed against the selected domains only. Authentication domains improve security because they instruct ACS to authenticate users only from selected domains and not from all domains trusted from join point. Authentication domains also improve performance and latency of authentication request processing because authentication domains limit the search area (that is, where accounts matching to incoming username or identity will be searched). It is especially important when incoming username or identity does not contain domain markup (prefix or suffix). Due to these reasons, configuring authentication domains is a best practice, and we highly recommended it.

To configure Authentication Domains:

Before you Begin

Ensure that the ACS instance is joined to an Active Directory domain.

 1. Choose Users and Identity Stores > External Identity Stores > Active Directory, then click the Authentication Domains tab.

A table appears with a list of your trusted domains. By default, ACS permits authentication against all trusted domains.

 2. To allow only specified domains, check the check box next to the domains for which you want to allow authentication, and click Enable Selected.

 3. Click Save Changes.

In the Authenticate column, the status of the selected domains are changed to Yes.

 

Customers Also Viewed These Support Documents