ACS 5.1 Join AD Permissions Level requirement.

Unanswered Question
Apr 28th, 2010

I've been testing new ACS 5.1 (appliances) and have an issue with joining to my AD.  Only the top level administrator account will join the domain successfully (not any standard for adding a computer to AD).  If anyone knows the 'correct' permissions level to set in AD, I would appreciate it.

The account tests good (test button), but when saving to join the Domain permanent, get error pop-up of:

-- Error while configuring Acgtive Directory: Using writable domain controller: HDQNCDC4.corp.maxxim.com Unexpected configuration or network error. Please try the --verbose option or run 'adinfo --diag' to diagnose the problem.  Join to domain 'corp.maxxxim.com', zone 'null' failed. --


The app-account created for the ACS5.1 has permissions to create/delete Computers on all domains. 


Our AD support summary:

It looks like the device is actually trying to write to Active Directory. This would be a concern and not the norm…..usually just a read function. Especially if the device is just passing through the credentials. When you open the case can you please ask Cisco what is being written to Active Directory and why. Also ask them the exact permissions required of the account needed for your device.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Javier Henderson Wed, 04/28/2010 - 11:46

The account use to join ACS 5.1 to the domain should have Authenticate User or  Computer Objects and Delete Computer Objects permission or any  permission to add machines to the AD domain

jkaliente Thu, 04/29/2010 - 11:34

The account does have these permissions. Still get the same error.  See attached screen shot.  Does Authenticated Users need special permissions ?

Attachment: 

Actions

This Discussion