×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ACS 5.4 - not able to join AD domain

Unanswered Question

Hi.

I'm having trouble joining the ACS 5.4 to an Windows Server 2012 AD domain.

When I use the Test connection, everything is green.

But when I try to join, I get this error:


Failed During Join [Error while configuring Active Directory: Cannot  open file /var/centrifydc/previous/kset.domain: No such file or  directory due to unexpected configuration or network error.Please try  the --verbose option or run 'adinfo --diag' to diagnose the problem.Join  to domain 'gaasdal.net', zone 'null' failed.]


I have tried to use the adinfo and adcheck cli commands, but I'm not able to use them properly. I always get an error when trying to put in options.


A simple adcheck gives me this, though:


ACS-Malaga/admin# acs troubleshoot adcheck gaasdal.net

This command is only for advanced troubleshooting and may incur a lot of network traffic


Do you want to continue?  (yes/no) yes

OSCHK    : Verify that this is a supported OS                          : Pass

PATCH    : Linux patch check                                           : Pass

PERL     : Verify perl is present and is a good version                : Pass

SAMBA    : Inspecting Samba installation                               : Pass

SPACECHK : Check if there is enough disk space in /var /usr /tmp       : Pass

HOSTNAME : Verify hostname setting                                     : Pass

NSHOSTS  : Check hosts line in /etc/nsswitch.conf                      : Pass

DNSPROBE : Probe DNS server 192.168.100.80                             : Pass

DNSCHECK : Analyze basic health of DNS servers                         : Warning

         : Only one DNS server was found in /etc/resolv.conf.

         : At least one backup DNS server is recommended for

         : enterprise installations.

         : Only one good DNS server was found

         : You might be able to continue but it is likely that you

         : will have problems.

         : Add more good DNS servers into /etc/resolv.conf.


WHATSSH  : Is this an SSH that DirectControl works well with           : Pass

SSH      : SSHD version and configuration                              : Note

         : You are running OpenSSH_5.3p1, CiscoSSL 0.9.8r.1.3.

         :


DOMNAME  : Check that the domain name is reasonable                    : Pass

ADDC     : Find domain controllers in DNS                              : Pass

ADDNS    : DNS lookup of DC kari2012.gaasdal.net                       : Pass

ADPORT   : Port scan of DC kari2012.gaasdal.net                        : Pass

ADDNS    : DNS lookup of DC kari2013.gaasdal.net                       : Pass

ADPORT   : Port scan of DC kari2013.gaasdal.net                        : Pass

ADDNS    : DNS lookup of DC kari2012.gaasdal.net                       : Pass

GCPORT   : Port scan of GC kari2012.gaasdal.net                        : Pass

ADDNS    : DNS lookup of DC kari2013.gaasdal.net                       : Pass

GCPORT   : Port scan of GC kari2013.gaasdal.net                        : Pass

ADGC     : Check Global Catalog servers                                : Pass

DCUP     : Check for operational DCs in gaasdal.net                    : Pass

SITEUP   : Check DCs for gaasdal.net in our site                       : Pass

DNSSYM   : Check DNS server symmetry                                   : Pass

ADSITE   : Check that this machine's subnet is in a site known by AD   : Pass

GSITE    : See if we think this is the correct site                    : Pass

TIME     : Check clock synchronization                                 : Pass

ADSYNC   : Check domains all synchronized                              : Pass

1 warning was encountered during check. We recommend checking this before proceeding



I have also tried adding the ACS manually in AD, but no use.


What could be wrong?

Any ideas?


Thank you.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Tarik Admani Tue, 08/13/2013 - 19:40
User Badges:
  • Green, 3000 points or more

Hi,


Do you have patch 2 installed? Here is the compatibility matrix for ACS 5.4 and AD versions -


http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/device_support/sdt54.html#wp71115


Here is the release notes as well -


http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/release/notes/acs_54_rn.html#wp257803


To find the patch version it is best to ssh into the appliance and issue a show version.


Thanks

Tarik Admani
*Please rate helpful posts*

Hi, and thanks for answering.

I'm on version:

Patches :                                                                                                                             5-4-0-46-4

Jatin Katyal Wed, 08/14/2013 - 03:50
User Badges:
  • Cisco Employee,

This is a known issue.


CSCuh14898    ACS 5.4 Patch 2 fails to join AD Domain


Description: Customer installed ACS 5.4 with Patch 2,  import the backup from ACS 5.3.  It failed to join the domain.


Got:

Failed During Join [Error while configuring Active Directory: Cannot open file /var/centrifydc/previous/kset.domain: No such file or directory due to unexpected configuration or network error.Please try the --verbose option or run 'adinfo --diag' to diagnose the problem.Join to domain 'unitopr.unitint.test .statefarm.org' ;, zone 'null' failed.



Symptom:

ACS Can not join the domain

Conditions:

ACS 5.4 Patch 2

Workaround:

The workaround suggested to manually remove /var/centrifydc/previous folder completely (rm -rf /var/centrifydc/previous) before trying to adjoin. Don't have the chance to try because customer reimage the box, it works.

More Info:



~BR
Jatin Katyal

**Do rate helpful posts**

Tarik Admani Wed, 08/14/2013 - 12:55
User Badges:
  • Green, 3000 points or more

TAC will need to do this for you.



Tarik Admani
*Please rate helpful posts*

jwarmoth78 Tue, 09/17/2013 - 11:28
User Badges:

Same issue on a fresh VM install of ACS 5.4.0.46.4.  Attemtping to joing with domain admin and enterprise admin accounts.  DNS resolution is fine throughout the lab/AD environment.  DC is 2008 R2 SP1



"Failed During Join [Error while configuring Active Directory: Cannot  open file /var/centrifydc/previous/kset.domain: No such file or  directory due to unexpected configuration or network error.Please try  the --verbose option or run 'adinfo --diag' to diagnose the problem.Join  to domain 'nerdlab.local', zone 'null' failed.]"




Cisco ACS VERSION INFORMATION

-----------------------------

Version : 5.4.0.46.4

Internal Build ID : B.221

Patches :

5-4-0-46-4



acs01/admin# acs troubleshoot adcheck testlab.local

This command is only for advanced troubleshooting and may incur a lot of network traffic


Do you want to continue?  (yes/no) y

OSCHK    : Verify that this is a supported OS                          : Pass

PATCH    : Linux patch check                                           : Pass

PERL     : Verify perl is present and is a good version                : Pass

SAMBA    : Inspecting Samba installation                               : Pass

SPACECHK : Check if there is enough disk space in /var /usr /tmp       : Pass

HOSTNAME : Verify hostname setting                                     : Pass

NSHOSTS  : Check hosts line in /etc/nsswitch.conf                      : Pass

DNSPROBE : Probe DNS server 192.168.1.131                              : Pass

DNSCHECK : Analyze basic health of DNS servers                         : Warning

         : Only one DNS server was found in /etc/resolv.conf.

         : At least one backup DNS server is recommended for

         : enterprise installations.

         : Only one good DNS server was found

         : You might be able to continue but it is likely that you

         : will have problems.

         : Add more good DNS servers into /etc/resolv.conf.


WHATSSH  : Is this an SSH that DirectControl works well with           : Pass

SSH      : SSHD version and configuration                              : Note

         : You are running OpenSSH_5.3p1, CiscoSSL 0.9.8r.1.3.

         :


DOMNAME  : Check that the domain name is reasonable                    : Warning

         : The Active Directory domain name testlab.local may cause

         : resolution problems with the operating system domain

         : name server. We strongly suggest you do not use .local

         : as the last component in your Active Directory domain name.

         : If you must, please see the release notes for your operating

         : system and ensure you have disabled multicast DNS.


ADDC     : Find domain controllers in DNS                              : Pass

ADDNS    : DNS lookup of DC labdc.nerdlab.local                        : Pass

ADPORT   : Port scan of DC labdc.nerdlab.local                         : Pass

ADDNS    : DNS lookup of DC labdc.nerdlab.local                        : Pass

GCPORT   : Port scan of GC labdc.nerdlab.local                         : Pass

ADGC     : Check Global Catalog servers                                : Pass

DCUP     : Check for operational DCs in nerdlab.local                  : Pass

SITEUP   : Check DCs for nerdlab.local in our site                     : Pass

DNSSYM   : Check DNS server symmetry                                   : Pass

ADSITE   : Check that this machine's subnet is in a site known by AD   : Pass

GSITE    : See if we think this is the correct site                    : Pass

TIME     : Check clock synchronization                                 : Pass

ADSYNC   : Check domains all synchronized                              : Pass

2 warnings were encountered during check. We recommend checking these before proceeding

Marc Rousseau Tue, 10/15/2013 - 04:23
User Badges:

We've got the same problem :


Error while configuring Active Directory: Cannot open file /var/centrifydc/previous/kset.domain: No such file or directory due to unexpected configuration or network error.Please try the --verbose option or run 'adinfo --diag' to diagnose the problem.Join to domain 'our.domain', zone 'null' failed.


Cisco ACS VERSION INFORMATION

-----------------------------

Version : 5.4.0.46.3

Internal Build ID : B.221

Patches :

5-4-0-46-3


When running "acs troubleshoot adcheck our.domain" everything is OK

Jatin Katyal Tue, 10/15/2013 - 12:48
User Badges:
  • Cisco Employee,

Since patch 5 is available and as per bug the issue has been addressed in patch 5, please apply it.


~BR
Jatin Katyal

**Do rate helpful posts**

Actions

This Discussion