Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

ACS 3.3.3 with win2003 domains

Hi all,

The customer have a Win 2003 domain (A) and a trust established with another Win

2003 domain (B). Domain A is the one with the CiscoSecure software ( ACS v3.3.3 ). These two domains are both pure win2003 mode.

But when trying to "add mappings" for this new 2003 Domain (B), I

continually am getting "failed to enumerate Windows groups. If you are

using Active Directory consult the installation guide for information."

I am not able to see domain B's users and groups from within the Ciscoe

Secure software.

However, if I use Active Directory Users and Computers from Domain A,

and "connect to domain" and choose Domain B, I am able to view all

users and groups just fine.

Do you know if there is a problem with configuring two 2003 domains in

this software? Do you have any other areas that I should investigate?

Some local policy on Domain B?

Thanks & Regards,



Re: ACS 3.3.3 with win2003 domains

Hello Terry,

this is a link to an excerpt from the ACS Troubleshooting Guide, you might want to check the things mentioned here. Scroll down to page 630 (or page 16 in Acrobat Reader);



Community Member

Re: ACS 3.3.3 with win2003 domains

hi terry,

i had this issue a couple of weeks back & this is certainly achievable, but most of the heavy lifting to be done is actually on the w2k3 side.

using two Windows 2003 Enterprise servers in two different forests & domains, you can map groupA from domainA in forestA to ACS Group1 & groupB from domainB in forestB to ACS Group2. the key is to have a full 2-way transitive trust [I tested using forest-wide trust] between the two domains for the ACS to be able to enumerate windows groups from both domains.

you also need to ensure that the CS__ services run as a domain user's a/c, rather than Local Service. i created a dummy usr in AD & granted it the appropriate privileges in both domains. a reboot or two later [to force the group policies to update], and the 2 way trust validated, i stopped getting the 'failed to enumerate windows groups'.

i don't have my notes on me, but this is just to let you know this's possible. caveats: i tested using acs4, but i'm pretty on the sure side that this can also be done using acs3.3 since they the AD db query driver still functions similarly across domains [again, because this is a windows thing, not acs as much].

good luck.

Community Member

Re: ACS 3.3.3 with win2003 domains

Hi globalnettech & AnuragKhare,

Thanks for your kindly help. Actually, i have done according to what you said, but it is still not work fine. I wonder whether i should install acs on domain controller server?(Now, acs is installed on a member server.)


CreatePlease to create content