Secondary ACS Unable to Join Domain

Unanswered Question
Dec 14th, 2011
User Badges:

Hello,


I have two ACS 5.3 servers setup as primary and secondary. The Primary is joined to the domain and works without issue. The secondary server shows as connectivity status:disconnected under the AD configuration. If I test the connection using the username and passwords credentials it is successful.


On the command line when I run the show app status acs command the adclient process results in execution failed.


Any thoughts?


Thanks,


-John

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
camejia Thu, 12/22/2011 - 14:55
User Badges:
  • Silver, 250 points or more

Hello John,


You might want to de-register the secondary ACS from the primary unit. With the secondary as standalone you should delete any references from AD configuration on the ACS Access Services (In Example: AD Group Conditions, AD Attributes), Authorization Profiles, etc.


After removing the AD References on the ACS GUI Configuration please go under the Active Directory configuration and click on "Clear Configuration". NOTE: You might want to confirm that you have the AD account credentials to join the ACS back to the domain.


After clearing the AD configuration we should configure it again from scratch, click on "Test Connection" and if succeded click on "Save Changes".


The ACS should show as Connected and Joined. At this point you can register the unit back to the primary for it to take the secondary role again.


If deeper investigation is needed or the issue persists the best approach would be to open a TAC case.


Hope this helps.


Regards.

jlizzio Tue, 01/10/2012 - 10:58
User Badges:

TAC reviewed our logs and determined that something was corrupt due to the upgrade process from 5.2 to 5.3. I rebuilt the VM as 5.3 and it joined the domain without issue.


-John

camejia Tue, 01/10/2012 - 11:21
User Badges:
  • Silver, 250 points or more

Hello,


Cisco Community has become a very helpful forum, however, AD - ACS 5.x issue can become very complex sometimes. TAC involvement might be required on those type of queries. Thanks for the update.


NOTE: Also, I prefer to suggest my customer's to go with a server re-image when upgrading to 5.3 instead of using the "Patch" file. The Patch file can become at handy sometimes when a re-image is not a viable option, however, the re-image will assure a clean installation. A restore of the previous ACS 5.2 database can be performed as well.


Regards

CSCO11627721 Tue, 03/27/2012 - 02:15
User Badges:

Hello,

Is it possible that to rebuild only the adclient, as I'm facing the same problem.


Regards


MKD

petr.hon Tue, 04/17/2012 - 03:18
User Badges:

Hi,


I had the same problem on ACS 5.2 on secondary server. The reason was simple, I did not configured NTP server so there was unsynchronised time with AD domain server.

CSCO11627721 Tue, 04/17/2012 - 03:20
User Badges:

Hi petr,

NTP is working fine, and when I click the "Test" it says "Success".

But the adclient is not running !!


Regards,


MKD

Ivan Bermejo Ch... Tue, 05/29/2012 - 12:43
User Badges:

I had same problem when trying to apply a patch with version 5.3.40.5. I had to de-apply patch, de-register backup from main ACS, apply path, and re-register backup with main ACS.


Only after that, adclient executed correctly.


I hope it helps

rameshwar.hiwal... Tue, 02/19/2013 - 11:39
User Badges:

Hello All,


We had faced same issue which is resolved by using domain credential to join AD.


Deregister secondary ACS from primary and re-registered. which helped and found everything working fine.


Note : Please always check ACSADAgent.log in such issues.

habnercosta Fri, 03/14/2014 - 22:23
User Badges:

Thanks petr.hon, I jut configured the NTP server and everything works again.

Actions

This Discussion

Related Content