Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2463
Views
0
Helpful
3
Replies

ACS 5.4 AD Join strange Issue

Go to solution
pemasirid
Level 1
Level 1

‎09-25-2013 12:37 AM - edited ‎03-10-2019 08:55 PM

Hi,

We have two ACS boxes with the same software version (5.4.0.46.0a), we were able to join domain one ACS only and other ACS is given the attached error.

When we checked "main-acs-01/admin# acs troubleshoot adcheck <domain-name>, it gave the same error for both ACS, however one ACS successfully joined to the domain and still other one failed.

main-acs-01/admin# acs troubleshoot adcheck <domain-name

This command is only for advanced troubleshooting and may incur a lot of network traffic

Do you want to continue?  (yes/no) yes

OSCHK    : Verify that this is a supported OS                          : Pass

PATCH    : Linux patch check                                           : Pass

PERL     : Verify perl is present and is a good version                : Pass

SAMBA    : Inspecting Samba installation                               : Pass

SPACECHK : Check if there is enough disk space in /var /usr /tmp       : Pass

HOSTNAME : Verify hostname setting                                     : Pass

NSHOSTS  : Check hosts line in /etc/nsswitch.conf                      : Pass

DNSPROBE : Probe DNS server 172.24.1.1                                 : Pass

DNSPROBE : Probe DNS server 172.24.1.2                                 : Pass

DNSCHECK : Analyze basic health of DNS servers                         : Pass

WHATSSH  : Is this an SSH that DirectControl works well with           : Pass

SSH      : SSHD version and configuration                              : Note

         : You are running OpenSSH_5.3p1, CiscoSSL 0.9.8r.1.3.

DOMNAME  : Check that the domain name is reasonable                    : Pass

ADDC     : Find domain controllers in DNS                              : Pass

ADDNS    : DNS lookup of DC xxxx.<domain-name>                     : Pass

ADPORT   : Port scan of DC xxxx.<domain-name>                      : Pass

ADDNS    : DNS lookup of DC xxxx.<domain-name>                    : Pass

ADPORT   : Port scan of DC xxxx.<domain-name>                     : Pass

ADDNS    : DNS lookup of DC xxxx.<domain-name>                     : Failed

         : Cannot resolve the IP address for xxxx.hmc.org.qa.

ADDNS    : DNS lookup of DC xxxx.<domain-name>                     : Pass

ADPORT   : Port scan of DC xxxx.<domain-name>                      : Pass

ADDNS    : DNS lookup of DC xxxx.<domain-name>                  : Pass

ADPORT   : Port scan of DC xxxx.<domain-name>                   : Pass

ADDNS    : DNS lookup of DC xxxx.<domain-name>                    : Pass

ADPORT   : Port scan of DC xxxx.<domain-name>                     : Warning

         : One or more ports failed to respond correctly. Either:

         :   a) the DC is offline

         :   b) a firewall is preventing access to a port

         : The following is a list of failed ports:

         :    ldap(389)/udp - timeout

         :    smb(445)/tcp - refused

         :    ldap(389)/tcp - refused

ADDNS    : DNS lookup of DC xxxx.<domain-name>                       : Pass

ADPORT   : Port scan of DC xxxx.<domain-name>                        : Pass

ADDNS    : DNS lookup of DC xxxx.<domain-name>                       : Pass

ADPORT   : Port scan of DC xxxx.<domain-name>                        : Pass

ADDNS    : DNS lookup of DC xxxx.<domain-name>                          : Pass

ADPORT   : Port scan of DC xxxx.<domain-name>                           : Pass

ADDNS    : DNS lookup of DC xxxx.<domain-name>                   : Pass

ADPORT   : Port scan of DC xxxx.<domain-name>                    : Pass

ADDNS    : DNS lookup of DC xxxx.<domain-name>                     : Pass

GCPORT   : Port scan of GC xxxx.<domain-name>                      : Pass

ADDNS    : DNS lookup of DC xxxx.<domain-name>                    : Pass

GCPORT   : Port scan of GC xxxx.<domain-name>                     : Pass

ADDNS    : DNS lookup of DC xxxx.<domain-name>                     : Failed

         : Cannot resolve the IP address for airportdc1.<domain-name>.

ADDNS    : DNS lookup of DC xxxx.<domain-name>                     : Pass

GCPORT   : Port scan of GC xxxx.<domain-name>                      : Pass

ADDNS    : DNS lookup of DC xxxx.<domain-name>                  : Pass

GCPORT   : Port scan of GC xxxx.<domain-name>                   : Pass

ADDNS    : DNS lookup of DC xxxx.<domain-name>                    : Pass

GCPORT   : Port scan of GC xxxx.<domain-name>                     : Warning

         : One or more ports failed to respond correctly. Either:

         :   a) the GC is offline

         :   b) a firewall is preventing access to a port

         : The following is a list of failed ports:

         :    gc(3268)/tcp - refused

ADDNS    : DNS lookup of DC xxxx.<domain-name>                       : Pass

GCPORT   : Port scan of GC xxxx.<domain-name>                        : Pass

ADDNS    : DNS lookup of DC xxxx.<domain-name>                       : Pass

GCPORT   : Port scan of GC xxxx.<domain-name>                        : Pass

ADDNS    : DNS lookup of DC xxxx.<domain-name>                          : Pass

GCPORT   : Port scan of GC xxxx<domain-name>                           : Pass

ADDNS    : DNS lookup of DC xxxx.<domain-name>                   : Pass

GCPORT   : Port scan of GC xxxx.<domain-name>                    : Pass

ADGC     : Check Global Catalog servers                                : Pass

DCUP     : Check for operational DCs in <domain-name>                    : Pass

SITEUP   : Check DCs for <domain-name>in our site                        : Pass

DNSSYM   : Check DNS server symmetry                                   : Pass

ADSITE   : Check that this machine's subnet is in a site known by AD   : Pass

GSITE    : See if we think this is the correct site                    : Pass

TIME     : Check clock synchronization                                 : Pass

2 serious issues were encountered during check. These must be fixed before proceeding

2 warnings were encountered during check. We recommend checking these before proceeding

main-acs-01/admin#

Has any one face this issue before and appreciate if someone can advise how to fix this.


Labels:
Preview file
253 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎09-25-2013 09:14 PM

This was a known issue with ACS 5.3 however, we got this fixed in ACS 5.3 patch 7 and ACS 5.4

Since you're running ACS 5.4, it should not trigger.

CSCtx53223    After upgrade ACS 5.3 fail to join AD domain - missing Centrify license

Symptom:

After upgrading from 5.2 to 5.3, ACS fails to join the domain. AD connection worked for a few days, until the services were restarted. After that ACS fails to join AD with the following error message in ACSADAgent.log:

Jan 20 02:36:32 CBR1BACS01 adjoin[6814]: DEBUG cli.adjoin Join to zone is only permitted with a licensed copy of DirectControl. Get a license or learn more about Centrify Suite at http://www.centrify.com/express

Jan 20 02:36:32 CBR1BACS01 adjoin[6814]: DEBUG cli.adjoin Without a license, you may connect to a domain through Auto Zone by specifying adjoin -w Test.Test

Conditions:

Upgrade from 5.2 to 5.3. Restart the services later on.

Workaround:

Backup the ACS db and re-image the box to 5.3

How did you upgrade to ACS 5.4

1.] Upgraded from 5.3 to 5.4 using upgrade package.

2.] reianged it with ACS 5.4 ISO and restored the ACS 5.3 database.

I would suggest you to open a TAC case on this. Most likely you need reimage the server and restore the database if you had gone through with option 1.]

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎09-25-2013 09:14 PM

This was a known issue with ACS 5.3 however, we got this fixed in ACS 5.3 patch 7 and ACS 5.4

Since you're running ACS 5.4, it should not trigger.

CSCtx53223    After upgrade ACS 5.3 fail to join AD domain - missing Centrify license

Symptom:

After upgrading from 5.2 to 5.3, ACS fails to join the domain. AD connection worked for a few days, until the services were restarted. After that ACS fails to join AD with the following error message in ACSADAgent.log:

Jan 20 02:36:32 CBR1BACS01 adjoin[6814]: DEBUG cli.adjoin Join to zone is only permitted with a licensed copy of DirectControl. Get a license or learn more about Centrify Suite at http://www.centrify.com/express

Jan 20 02:36:32 CBR1BACS01 adjoin[6814]: DEBUG cli.adjoin Without a license, you may connect to a domain through Auto Zone by specifying adjoin -w Test.Test

Conditions:

Upgrade from 5.2 to 5.3. Restart the services later on.

Workaround:

Backup the ACS db and re-image the box to 5.3

How did you upgrade to ACS 5.4

1.] Upgraded from 5.3 to 5.4 using upgrade package.

2.] reianged it with ACS 5.4 ISO and restored the ACS 5.3 database.

I would suggest you to open a TAC case on this. Most likely you need reimage the server and restore the database if you had gone through with option 1.]

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful

Go to solution
pemasirid
Level 1
Level 1
In response to Jatin Katyal

‎09-25-2013 10:31 PM

Hello Jatin,

Many thanks for your reply on this.

It was resolved, once I stop and start the ACS application and then tried to join to Domain it worked.

I'm not sure why it was still giving me some Warning and serious issue when I run the "acs troubleshoot adcheck" command and also not sure why the message shown about missing centrify license ..?

thanks

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to pemasirid

‎09-26-2013 04:44 AM

Well, restarting services is a workaround to many problems in ACS 5.x

What I was thinking that if it has been already fixed in ACS 5.3 patch 7 and ACS 5.4, why we're seeing this message at first place. I'd say if you see this problem again on this code, report back and open a TAC case on this. If you want to dig into logs and understand then we can fetch adclient logs at debug level.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents