09-25-2013 12:37 AM - edited 03-10-2019 08:55 PM
Hi,
We have two ACS boxes with the same software version (5.4.0.46.0a), we were able to join domain one ACS only and other ACS is given the attached error.
When we checked "main-acs-01/admin# acs troubleshoot adcheck <domain-name>, it gave the same error for both ACS, however one ACS successfully joined to the domain and still other one failed.
main-acs-01/admin# acs troubleshoot adcheck <domain-name
This command is only for advanced troubleshooting and may incur a lot of network traffic
Do you want to continue? (yes/no) yes
OSCHK : Verify that this is a supported OS : Pass
PATCH : Linux patch check : Pass
PERL : Verify perl is present and is a good version : Pass
SAMBA : Inspecting Samba installation : Pass
SPACECHK : Check if there is enough disk space in /var /usr /tmp : Pass
HOSTNAME : Verify hostname setting : Pass
NSHOSTS : Check hosts line in /etc/nsswitch.conf : Pass
DNSPROBE : Probe DNS server 172.24.1.1 : Pass
DNSPROBE : Probe DNS server 172.24.1.2 : Pass
DNSCHECK : Analyze basic health of DNS servers : Pass
WHATSSH : Is this an SSH that DirectControl works well with : Pass
SSH : SSHD version and configuration : Note
: You are running OpenSSH_5.3p1, CiscoSSL 0.9.8r.1.3.
DOMNAME : Check that the domain name is reasonable : Pass
ADDC : Find domain controllers in DNS : Pass
ADDNS : DNS lookup of DC xxxx.<domain-name> : Pass
ADPORT : Port scan of DC xxxx.<domain-name> : Pass
ADDNS : DNS lookup of DC xxxx.<domain-name> : Pass
ADPORT : Port scan of DC xxxx.<domain-name> : Pass
ADDNS : DNS lookup of DC xxxx.<domain-name> : Failed
: Cannot resolve the IP address for xxxx.hmc.org.qa.
ADDNS : DNS lookup of DC xxxx.<domain-name> : Pass
ADPORT : Port scan of DC xxxx.<domain-name> : Pass
ADDNS : DNS lookup of DC xxxx.<domain-name> : Pass
ADPORT : Port scan of DC xxxx.<domain-name> : Pass
ADDNS : DNS lookup of DC xxxx.<domain-name> : Pass
ADPORT : Port scan of DC xxxx.<domain-name> : Warning
: One or more ports failed to respond correctly. Either:
: a) the DC is offline
: b) a firewall is preventing access to a port
: The following is a list of failed ports:
: ldap(389)/udp - timeout
: smb(445)/tcp - refused
: ldap(389)/tcp - refused
ADDNS : DNS lookup of DC xxxx.<domain-name> : Pass
ADPORT : Port scan of DC xxxx.<domain-name> : Pass
ADDNS : DNS lookup of DC xxxx.<domain-name> : Pass
ADPORT : Port scan of DC xxxx.<domain-name> : Pass
ADDNS : DNS lookup of DC xxxx.<domain-name> : Pass
ADPORT : Port scan of DC xxxx.<domain-name> : Pass
ADDNS : DNS lookup of DC xxxx.<domain-name> : Pass
ADPORT : Port scan of DC xxxx.<domain-name> : Pass
ADDNS : DNS lookup of DC xxxx.<domain-name> : Pass
GCPORT : Port scan of GC xxxx.<domain-name> : Pass
ADDNS : DNS lookup of DC xxxx.<domain-name> : Pass
GCPORT : Port scan of GC xxxx.<domain-name> : Pass
ADDNS : DNS lookup of DC xxxx.<domain-name> : Failed
: Cannot resolve the IP address for airportdc1.<domain-name>.
ADDNS : DNS lookup of DC xxxx.<domain-name> : Pass
GCPORT : Port scan of GC xxxx.<domain-name> : Pass
ADDNS : DNS lookup of DC xxxx.<domain-name> : Pass
GCPORT : Port scan of GC xxxx.<domain-name> : Pass
ADDNS : DNS lookup of DC xxxx.<domain-name> : Pass
GCPORT : Port scan of GC xxxx.<domain-name> : Warning
: One or more ports failed to respond correctly. Either:
: a) the GC is offline
: b) a firewall is preventing access to a port
: The following is a list of failed ports:
: gc(3268)/tcp - refused
ADDNS : DNS lookup of DC xxxx.<domain-name> : Pass
GCPORT : Port scan of GC xxxx.<domain-name> : Pass
ADDNS : DNS lookup of DC xxxx.<domain-name> : Pass
GCPORT : Port scan of GC xxxx.<domain-name> : Pass
ADDNS : DNS lookup of DC xxxx.<domain-name> : Pass
GCPORT : Port scan of GC xxxx<domain-name> : Pass
ADDNS : DNS lookup of DC xxxx.<domain-name> : Pass
GCPORT : Port scan of GC xxxx.<domain-name> : Pass
ADGC : Check Global Catalog servers : Pass
DCUP : Check for operational DCs in <domain-name> : Pass
SITEUP : Check DCs for <domain-name>in our site : Pass
DNSSYM : Check DNS server symmetry : Pass
ADSITE : Check that this machine's subnet is in a site known by AD : Pass
GSITE : See if we think this is the correct site : Pass
TIME : Check clock synchronization : Pass
2 serious issues were encountered during check. These must be fixed before proceeding
2 warnings were encountered during check. We recommend checking these before proceeding
main-acs-01/admin#
Has any one face this issue before and appreciate if someone can advise how to fix this.
Solved! Go to Solution.
09-25-2013 09:14 PM
This was a known issue with ACS 5.3 however, we got this fixed in ACS 5.3 patch 7 and ACS 5.4
Since you're running ACS 5.4, it should not trigger.
CSCtx53223 After upgrade ACS 5.3 fail to join AD domain - missing Centrify license
Symptom:
After upgrading from 5.2 to 5.3, ACS fails to join the domain. AD connection worked for a few days, until the services were restarted. After that ACS fails to join AD with the following error message in ACSADAgent.log:
Jan 20 02:36:32 CBR1BACS01 adjoin[6814]: DEBUG cli.adjoin Join to zone is only permitted with a licensed copy of DirectControl. Get a license or learn more about Centrify Suite at http://www.centrify.com/express
Jan 20 02:36:32 CBR1BACS01 adjoin[6814]: DEBUG cli.adjoin Without a license, you may connect to a domain through Auto Zone by specifying adjoin -w Test.Test
Conditions:
Upgrade from 5.2 to 5.3. Restart the services later on.
Workaround:
Backup the ACS db and re-image the box to 5.3
How did you upgrade to ACS 5.4
1.] Upgraded from 5.3 to 5.4 using upgrade package.
2.] reianged it with ACS 5.4 ISO and restored the ACS 5.3 database.
I would suggest you to open a TAC case on this. Most likely you need reimage the server and restore the database if you had gone through with option 1.]
~BR
Jatin Katyal
**Do rate helpful posts**
09-25-2013 09:14 PM
This was a known issue with ACS 5.3 however, we got this fixed in ACS 5.3 patch 7 and ACS 5.4
Since you're running ACS 5.4, it should not trigger.
CSCtx53223 After upgrade ACS 5.3 fail to join AD domain - missing Centrify license
Symptom:
After upgrading from 5.2 to 5.3, ACS fails to join the domain. AD connection worked for a few days, until the services were restarted. After that ACS fails to join AD with the following error message in ACSADAgent.log:
Jan 20 02:36:32 CBR1BACS01 adjoin[6814]: DEBUG cli.adjoin Join to zone is only permitted with a licensed copy of DirectControl. Get a license or learn more about Centrify Suite at http://www.centrify.com/express
Jan 20 02:36:32 CBR1BACS01 adjoin[6814]: DEBUG cli.adjoin Without a license, you may connect to a domain through Auto Zone by specifying adjoin -w Test.Test
Conditions:
Upgrade from 5.2 to 5.3. Restart the services later on.
Workaround:
Backup the ACS db and re-image the box to 5.3
How did you upgrade to ACS 5.4
1.] Upgraded from 5.3 to 5.4 using upgrade package.
2.] reianged it with ACS 5.4 ISO and restored the ACS 5.3 database.
I would suggest you to open a TAC case on this. Most likely you need reimage the server and restore the database if you had gone through with option 1.]
~BR
Jatin Katyal
**Do rate helpful posts**
09-25-2013 10:31 PM
Hello Jatin,
Many thanks for your reply on this.
It was resolved, once I stop and start the ACS application and then tried to join to Domain it worked.
I'm not sure why it was still giving me some Warning and serious issue when I run the "acs troubleshoot adcheck" command and also not sure why the message shown about missing centrify license ..?
thanks
09-26-2013 04:44 AM
Well, restarting services is a workaround to many problems in ACS 5.x
What I was thinking that if it has been already fixed in ACS 5.3 patch 7 and ACS 5.4, why we're seeing this message at first place. I'd say if you see this problem again on this code, report back and open a TAC case on this. If you want to dig into logs and understand then we can fetch adclient logs at debug level.
~BR
Jatin Katyal
**Do rate helpful posts**
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: