Join ACS 5.1 to AD domain

Unanswered Question
May 26th, 2010

Hello,

I've got a problem trying to join ACS Servers to a AD domain

1st of all, I've double checked ALL the requierement needed to join a ACS 5.1 server to a AD domain and all is OK (ntp/timezone, dns, ip domain-name, ad administrator account)

The problem is that when i try the test button, i get my page loading indefinitely.

We have 90+ DC and the command "nslookup my.domain.com" find all of them. The problem is that according to our network topology, only 4 DC are joinable by the ACS servers.

using the CLI command : "show tech-support", i found the following lines :

May 26 14:34:31 acs01 adinfo[2541]: INFO  base.bind.ad ConnectToServer: fetch("") from dc1.mydomain.com:389 failed (Reason: fetch  : Can't contact LDAP server)
May 26 14:34:41 acs01 adinfo[2541]: INFO  base.bind.ad ConnectToServer: fetch("") from dc2.mydomain.com:389 failed (Reason: fetch  : Can't contact LDAP server)
May 26 14:34:51 acs01 adinfo[2541]: INFO  base.bind.ad ConnectToServer: fetch("") from dc3.mydomain.com:389 failed (Reason: fetch  : Can't contact LDAP server)
May 26 14:35:01 acs01 adinfo[2541]: INFO  base.bind.ad ConnectToServer: fetch("") from dc4.mydomain.com:389 failed (Reason: fetch  : Can't contact LDAP server)
May 26 14:35:11 acs01 adinfo[2541]: INFO  base.bind.ad ConnectToServer: fetch("") from dc5.mydomain.com:389 failed (Reason: fetch  : Can't contact LDAP server)
May 26 14:35:21 acs01 adinfo[2541]: INFO  base.bind.ad ConnectToServer: fetch("") from dc6.mydomain.com:389 failed (Reason: fetch  : Can't contact LDAP server)
May 26 14:35:26 acs01 adinfo[2541]: INFO  base.bind.ad Reached adclient.server.try.max before finding a valid server

The ACS trys to contact DC that it can't join and it stops after 6 failure

Is there a way to force the ACS to contact a specific DC to join the domain ?

Regards.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jatin Katyal Wed, 05/26/2010 - 06:44

Good question. This is not possible yet. There is an enhancement filed on this.


CSCte92062    ACS should be able to query only desired DCs


Symptom:
Currently on 5.0 and 5.1, the ACS queries the DNS with the domain, in order to get a list of all the DCs in the domain and then tries to communicate with all of them.

If the connection to even one DC fails, then the ACS connection to the domain is declared as failed.

A lot of customers are asking for a change on this behavior.
It should be possible to define which DCs to contact and/or make ACS to interpret  DNS Resource Records Registered by the Active Directory Domain Controller to facilitate the location of domain controllers. Active Directory uses service locator, or SRV, records. An SRV record is a new type of DNS record described in RFC 2782, and is used to identify services located on a Transmission Control Protocol/Internet Protocol (TCP/IP) network.

Conditions:
Domain with multiple DCs were some are not accessible from the ACS due to security/geographic constraints.

Workaround:
Make sure ALL DCs are UP and reachable from the ACS.


HTH


JK


Do rate helpful posts-

msurget.orange Wed, 05/26/2010 - 06:55

Thanks for your fast answer.

Is there any way to manually edit the "/etc/hosts" file on ACS 5.1 ?

So that i could force the server to get on one specific DC

Regards.

Jatin Katyal Wed, 05/26/2010 - 07:11

On ACS under AD settings you can define the FQDN of that specifc domain like child.parent.com and see if that works.


HTH

JK


Do rate helpful posts-

msurget.orange Thu, 05/27/2010 - 05:40

I also tryed that, it didn't help.

but what about the hosts file ? do you know if there any way to edit it manually ?

Regards

paul.omahony Wed, 08/25/2010 - 18:10

I had the same problem last week and I changed the AD settings.

I gave the acs user account on the AD

"domain controller admin rights"

and the ACS's connected straight away.

I had simmilar problem with login/joining to AD.

I need know how to setup uniq IP for domain.name to /etc/host

Or how to setup default domain controller fo domain.

We have on infrastructure more domain controllers with different architecture.

Few with 32 bit few with 64bit,  few as unix controllers, few as win controllers .....

Q: How to setup default controller IP for domain.

Ideal solution is /etc/hosts update and setting server IP for domain controllers.

====================================================

From ACS CLI:

====================================================

acs-new/acsadmin# nslookup xx.domain.com

Trying "xx.domain.com"

;; Truncated, retrying in TCP mode.

Trying "xx.domain.com"

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35020

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 75, AUTHORITY: 0, ADDITIONAL: 25

;; QUESTION SECTION:

;xx.domain.com.                 IN      ANY

;; ANSWER SECTION:

xx.domain.com.          600     IN      A       192.168.21.19

xx.domain.com.          600     IN      A       10.249.4.41

xx.domain.com.          600     IN      A       10.245.1.19

xx.domain.com.          600     IN      A       10.250.20.1

xx.domain.com.          600     IN      A       10.241.2.29

xx.domain.com.          600     IN      A       172.16.90.83

xx.domain.com.          600     IN      A       10.247.10.5

xx.domain.com.          600     IN      A       10.244.48.100

xx.domain.com.          600     IN      A       10.242.53.218

xx.domain.com.          600     IN      A       10.242.52.202

xx.domain.com.          600     IN      A       172.21.8.32

xx.domain.com.          600     IN      A       10.16.1.29

xx.domain.com.          600     IN      A       10.254.99.182

xx.domain.com.          600     IN      A       10.245.48.229

xx.domain.com.          600     IN      A       10.100.8.19       !# me default controller

xx.domain.com.          600     IN      A       10.224.201.10

xx.domain.com.          600     IN      A       10.254.100.2

xx.domain.com.          600     IN      A       10.243.18.13

xx.domain.com.          600     IN      A       10.249.4.1

xx.domain.com.          600     IN      A       10.249.4.2

xx.domain.com.          600     IN      A       172.31.4.26

xx.domain.com.          600     IN      A       10.241.2.28

xx.domain.com.          600     IN      A       10.245.48.235

xx.domain.com.          600     IN      A       172.31.4.21

xx.domain.com.          600     IN      A       10.242.52.201

xx.domain.com.          600     IN      A       10.243.18.14

xx.domain.com.          600     IN      A       10.240.1.16

xx.domain.com.          600     IN      A       172.21.8.33

xx.domain.com.          600     IN      A       10.224.201.1

xx.domain.com.          600     IN      A       10.254.152.214

xx.domain.com.          600     IN      A       10.100.17.81

xx.domain.com.          600     IN      A       10.253.116.158

xx.domain.com.          600     IN      A       10.100.17.80

xx.domain.com.          600     IN      A       10.250.20.2

xx.domain.com.          600     IN      A       10.241.20.231

xx.domain.com.          600     IN      A       10.253.116.161

xx.domain.com.          600     IN      A       10.244.48.120

Actions

This Discussion

Related Content