Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS 5.4 AD Join strange Issue

Hi,

We have two ACS boxes with the same software version (5.4.0.46.0a), we were able to join domain one ACS only and other ACS is given the attached error.

When we checked "main-acs-01/admin# acs troubleshoot adcheck <domain-name>, it gave the same error for both ACS, however one ACS successfully joined to the domain and still other one failed.

main-acs-01/admin# acs troubleshoot adcheck <domain-name

This command is only for advanced troubleshooting and may incur a lot of network traffic

Do you want to continue?  (yes/no) yes

OSCHK    : Verify that this is a supported OS                          : Pass

PATCH    : Linux patch check                                           : Pass

PERL     : Verify perl is present and is a good version                : Pass

SAMBA    : Inspecting Samba installation                               : Pass

SPACECHK : Check if there is enough disk space in /var /usr /tmp       : Pass

HOSTNAME : Verify hostname setting                                     : Pass

NSHOSTS  : Check hosts line in /etc/nsswitch.conf                      : Pass

DNSPROBE : Probe DNS server 172.24.1.1                                 : Pass

DNSPROBE : Probe DNS server 172.24.1.2                                 : Pass

DNSCHECK : Analyze basic health of DNS servers                         : Pass

WHATSSH  : Is this an SSH that DirectControl works well with           : Pass

SSH      : SSHD version and configuration                              : Note

         : You are running OpenSSH_5.3p1, CiscoSSL 0.9.8r.1.3.

DOMNAME  : Check that the domain name is reasonable                    : Pass

ADDC     : Find domain controllers in DNS                              : Pass

ADDNS    : DNS lookup of DC xxxx.<domain-name>                     : Pass

ADPORT   : Port scan of DC xxxx.<domain-name>                      : Pass

ADDNS    : DNS lookup of DC xxxx.<domain-name>                    : Pass

ADPORT   : Port scan of DC xxxx.<domain-name>                     : Pass

ADDNS    : DNS lookup of DC xxxx.<domain-name>                     : Failed

         : Cannot resolve the IP address for xxxx.hmc.org.qa.

ADDNS    : DNS lookup of DC xxxx.<domain-name>                     : Pass

ADPORT   : Port scan of DC xxxx.<domain-name>                      : Pass

ADDNS    : DNS lookup of DC xxxx.<domain-name>                  : Pass

ADPORT   : Port scan of DC xxxx.<domain-name>                   : Pass

ADDNS    : DNS lookup of DC xxxx.<domain-name>                    : Pass

ADPORT   : Port scan of DC xxxx.<domain-name>                     : Warning

         : One or more ports failed to respond correctly. Either:

         :   a) the DC is offline

         :   b) a firewall is preventing access to a port

         : The following is a list of failed ports:

         :    ldap(389)/udp - timeout

         :    smb(445)/tcp - refused

         :    ldap(389)/tcp - refused

ADDNS    : DNS lookup of DC xxxx.<domain-name>                       : Pass

ADPORT   : Port scan of DC xxxx.<domain-name>                        : Pass

ADDNS    : DNS lookup of DC xxxx.<domain-name>                       : Pass

ADPORT   : Port scan of DC xxxx.<domain-name>                        : Pass

ADDNS    : DNS lookup of DC xxxx.<domain-name>                          : Pass

ADPORT   : Port scan of DC xxxx.<domain-name>                           : Pass

ADDNS    : DNS lookup of DC xxxx.<domain-name>                   : Pass

ADPORT   : Port scan of DC xxxx.<domain-name>                    : Pass

ADDNS    : DNS lookup of DC xxxx.<domain-name>                     : Pass

GCPORT   : Port scan of GC xxxx.<domain-name>                      : Pass

ADDNS    : DNS lookup of DC xxxx.<domain-name>                    : Pass

GCPORT   : Port scan of GC xxxx.<domain-name>                     : Pass

ADDNS    : DNS lookup of DC xxxx.<domain-name>                     : Failed

         : Cannot resolve the IP address for airportdc1.<domain-name>.

ADDNS    : DNS lookup of DC xxxx.<domain-name>                     : Pass

GCPORT   : Port scan of GC xxxx.<domain-name>                      : Pass

ADDNS    : DNS lookup of DC xxxx.<domain-name>                  : Pass

GCPORT   : Port scan of GC xxxx.<domain-name>                   : Pass

ADDNS    : DNS lookup of DC xxxx.<domain-name>                    : Pass

GCPORT   : Port scan of GC xxxx.<domain-name>                     : Warning

         : One or more ports failed to respond correctly. Either:

         :   a) the GC is offline

         :   b) a firewall is preventing access to a port

         : The following is a list of failed ports:

         :    gc(3268)/tcp - refused

ADDNS    : DNS lookup of DC xxxx.<domain-name>                       : Pass

GCPORT   : Port scan of GC xxxx.<domain-name>                        : Pass

ADDNS    : DNS lookup of DC xxxx.<domain-name>                       : Pass

GCPORT   : Port scan of GC xxxx.<domain-name>                        : Pass

ADDNS    : DNS lookup of DC xxxx.<domain-name>                          : Pass

GCPORT   : Port scan of GC xxxx<domain-name>                           : Pass

ADDNS    : DNS lookup of DC xxxx.<domain-name>                   : Pass

GCPORT   : Port scan of GC xxxx.<domain-name>                    : Pass

ADGC     : Check Global Catalog servers                                : Pass

DCUP     : Check for operational DCs in <domain-name>                    : Pass

SITEUP   : Check DCs for <domain-name>in our site                        : Pass

DNSSYM   : Check DNS server symmetry                                   : Pass

ADSITE   : Check that this machine's subnet is in a site known by AD   : Pass

GSITE    : See if we think this is the correct site                    : Pass

TIME     : Check clock synchronization                                 : Pass

2 serious issues were encountered during check. These must be fixed before proceeding

2 warnings were encountered during check. We recommend checking these before proceeding

main-acs-01/admin#

Has any one face this issue before and appreciate if someone can advise how to fix this.


1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

ACS 5.4 AD Join strange Issue

This was a known issue with ACS 5.3 however, we got this fixed in ACS 5.3 patch 7 and ACS 5.4

Since you're running ACS 5.4, it should not trigger.

CSCtx53223    After upgrade ACS 5.3 fail to join AD domain - missing Centrify license

Symptom:

After upgrading from 5.2 to 5.3, ACS fails to join the domain. AD connection worked for a few days, until the services were restarted. After that ACS fails to join AD with the following error message in ACSADAgent.log:

Jan 20 02:36:32 CBR1BACS01 adjoin[6814]: DEBUG cli.adjoin Join to zone is only permitted with a licensed copy of DirectControl. Get a license or learn more about Centrify Suite at http://www.centrify.com/express

Jan 20 02:36:32 CBR1BACS01 adjoin[6814]: DEBUG cli.adjoin Without a license, you may connect to a domain through Auto Zone by specifying adjoin -w Test.Test

Conditions:

Upgrade from 5.2 to 5.3. Restart the services later on.

Workaround:

Backup the ACS db and re-image the box to 5.3

How did you upgrade to ACS 5.4

1.] Upgraded from 5.3 to 5.4 using upgrade package.

2.] reianged it with ACS 5.4 ISO and restored the ACS 5.3 database.

I would suggest you to open a TAC case on this. Most likely you need reimage the server and restore the database if you had gone through with option 1.]

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
3 REPLIES
Cisco Employee

ACS 5.4 AD Join strange Issue

This was a known issue with ACS 5.3 however, we got this fixed in ACS 5.3 patch 7 and ACS 5.4

Since you're running ACS 5.4, it should not trigger.

CSCtx53223    After upgrade ACS 5.3 fail to join AD domain - missing Centrify license

Symptom:

After upgrading from 5.2 to 5.3, ACS fails to join the domain. AD connection worked for a few days, until the services were restarted. After that ACS fails to join AD with the following error message in ACSADAgent.log:

Jan 20 02:36:32 CBR1BACS01 adjoin[6814]: DEBUG cli.adjoin Join to zone is only permitted with a licensed copy of DirectControl. Get a license or learn more about Centrify Suite at http://www.centrify.com/express

Jan 20 02:36:32 CBR1BACS01 adjoin[6814]: DEBUG cli.adjoin Without a license, you may connect to a domain through Auto Zone by specifying adjoin -w Test.Test

Conditions:

Upgrade from 5.2 to 5.3. Restart the services later on.

Workaround:

Backup the ACS db and re-image the box to 5.3

How did you upgrade to ACS 5.4

1.] Upgraded from 5.3 to 5.4 using upgrade package.

2.] reianged it with ACS 5.4 ISO and restored the ACS 5.3 database.

I would suggest you to open a TAC case on this. Most likely you need reimage the server and restore the database if you had gone through with option 1.]

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

ACS 5.4 AD Join strange Issue

Hello Jatin,

Many thanks for your reply on this.

It was resolved, once I stop and start the ACS application and then tried to join to Domain it worked.

I'm not sure why it was still giving me some Warning and serious issue when I run the "acs troubleshoot adcheck" command and also not sure why the message shown about missing centrify license ..?

thanks

Cisco Employee

ACS 5.4 AD Join strange Issue

Well, restarting services is a workaround to many problems in ACS 5.x

What I was thinking that if it has been already fixed in ACS 5.3 patch 7 and ACS 5.4, why we're seeing this message at first place. I'd say if you see this problem again on this code, report back and open a TAC case on this. If you want to dig into logs and understand then we can fetch adclient logs at debug level.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
597
Views
0
Helpful
3
Replies
CreatePlease to create content