ACS Express Appliance 5.0 (Anyone using with AD)

Unanswered Question
Nov 2nd, 2008


Anyone using this new appliance for Active Directory integration?

This applaince runs on Linux (a good thing) but does not seem to like to talk with our AD, yet we have no problems in our environment in regards to DNS or AD. We have a case opened and hope it's a quick fix.

Just looking to see any sucess or failure stories out there on this unit in general.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
patrick.tuttle@... Wed, 11/05/2008 - 06:57


I guess given the no resposnse, I can guess this is not a popular box.

Cisco ended up coming up with a fix for this problem. The default is to hunt through the entire AD forest. Once this file was edited, it attached imediatly.


juliendymon Mon, 02/16/2009 - 07:14


Can you explain a little more please ?

I have an ACS 5.0 and I am not able to join the AD ...

Thank you

patrick.tuttle@... Mon, 02/16/2009 - 10:58


If there are any isues with contacting any of the AD controllers such as if just one of them is off line for any reason or you have a large environment, then it will not connect.

Also if time is not correct, it will also not connect. Our problem was with both some ADs were off line and our environmnet was too large.

So, Cisco has a patch file thay can send you so that you can get into ROOT of the box and edit the "centrifydc.conf" file

The file name you need to get into root is:


You also need console access to the device.

They are suppose to make these setting avail in the gui, in up comming releases.

Hope this helps


Daniel Laden Mon, 02/16/2009 - 11:02

ACS Express will need to contact every domain controller to join. If a domain controller is offline or a listed domain controller is no longer a domain controller it will fail.

patrick.tuttle@... Mon, 02/16/2009 - 11:07

This is how it works but really shouldn't work this way. There are many time in large enterprises that controllers are down for patching etc.



Attempting an AD join may fail if there are some domain controllers or global catalog servers it can not contact.


One or more domain controllers or global catalog servers that the ACS can not query or contact. AD Domain with inter-domain trusts containing trees that the ACS does not need access to descend into. The AD join process will eventually time out since it fails to return successful lookups for all domain controllers within the forest.


None via the GUI. Please contact TAC and provide the diagnostic logs.

Further Problem Description:


However the fix I was given was to edit that file I was speaking about.

Once I did this I was able to attach all 12 appliances we purchased to our AD environment.

juliendymon Tue, 02/17/2009 - 02:41

Ok thank you for your support.

In fact I think there is a mistake executing the script to join the domain, the arguments is "" and I think it should be "".

I try to login on the ACS but I cant access the linux shell to modify the script, I only have access to the IOS Shell.

I have full physical access to the appliance and can make all the modification I want, it is only for testing and not in production environment.




This Discussion