Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
968
Views
0
Helpful
4
Replies

ACS 5.4 AD search very slow

yogesh.suryawanshi
Level 1
Level 1

‎02-16-2014 05:05 PM - edited ‎03-10-2019 09:24 PM

Hi All,

Just started installation of ACS 5.4 & integrated it with AD.

My AD tree is very big & DL search from Acs 5.4 take longer time , sometime 5-8 mins for one DL or sometimes it times out.

Is their any way we can optimise AD search using internal settings in ACS5.4 or using some external AD agents.

Yoges

Labels:
0 Helpful
4 Replies 4

Ravi Singh
Level 7
Level 7

‎02-20-2014 05:44 PM

This was the bug CSCub46074 in ACS 5.3 response is very slow with a large number of identity groups. It may be bug in 5.4 also. I am working on your query and get back to you.

0 Helpful

Naveed N
Level 1
Level 1
In response to Ravi Singh

‎06-24-2014 07:17 AM

We opened a TAC case and found the ACS will register with AD which is responding the fastest, but it may not register with specified server (you can see the hostname in the GUI after AD registration), the AD was responding very slow for DL search. With the root access the server IP address was changed and the DL search was less than a second. There is no issue with the ACS 5.4

0 Helpful

Muhammad Munir
Level 5
Level 5

‎02-26-2014 04:24 AM

Hello Yoges,

FYI,

Just to add Ravi’s post, probably this could be a reason.

While trying to join ACS to the AD domain, ACS and AD must be time-synchronized. Time in ACS is set according to the Network Time Protocol (NTP) server. Both AD and ACS should be synchronized by the same NTP server. If time is not synchronized when you join ACS to the AD domain, ACS displays a clock skew error. Using the command line interface on your appliance, you must configure the NTP client to work with the same NTP server that the AD domain is synchronized with.

0 Helpful

Naveed N
Level 1
Level 1
In response to Muhammad Munir

‎02-26-2014 08:04 AM

Hi Munir,

AD tree is very big. There are no errors while joining the AD. Able to test and join the AD. No issues with NTP sync. After clicking on select button in Directory Group, it takes more than 3 to 4 minutes for the DL results to load or it times out and when we filter for specific DL it takes more than 7 to 8 minutes for results to appear or it times out again. Most of the time it times out. We have tested this with different name server IPs as well.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents