09-11-2015 05:02 AM - edited 03-10-2019 11:02 PM
Hi guys,
We have two ACS servers( ACS01, ACS02) running on VM( with latest 5.7 version), both contain different sets of data. we want to keep those two servers in distributed mode(ACS01 as primary and ACS02 as secondary) with full replication, if i set it up like that the data present in the ACS02 will be over written by ACS01. So is there process in moving the data present in ACS02 to ACS01 and set up those two in distributed mode.
Both ACS have different active directories present in different domains.
Thanks
09-11-2015 01:36 PM
Hi,
There is not actually an easy way to merge these 2 databases, what you will have to do is try to export/import the data that can be done using .csv option ( only Network devices, NDGs, Users, Identity groups, and command sets are exportable ), the rules and all other settings will have to be configured manually.
And related to the AD domain, the ACS will only be able to join to one single domain, if you want to be able to authenticate users from a foreign domain, it will be necessary to create a 2 way trust relationship between the 2 domains ( the one ACS will be joining to and the foreign domain).
After doing that, users from foreign domain will have to enter username+domain name to be able to authenticate.
Note: Please marked as answered if applicable.
09-11-2015 07:03 PM
Hi ivangonz,
If i export that data from ACS02 and import it in ACS01, does it impact the data that is already present in ACS01 ?
Can we migrate data from one active directory to another active directory ?
If you don't mind can you please share some links or procedures of how to do all this process. I am not much aware of these topics on ACS.
Thanks.
09-14-2015 12:08 PM
Hello,
The best link I might be able to provide for this procedures is the following:
http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-7/user/guide/acsuserguide/my_wkspc.html#pgfId-1131893
When importing and exporting this data you are able to either only add ( to the existing data) or or overwrite all the data that you already have, so you will able to add the data from one ACS to the other without loosing your current database.
And related to your concern if you are able to migrate data from one AD to the other, I have read it is possible by using a tool called ADMT (Active Directory Migration Tool), but not quite sure about the details on how to do it. You might want to get some AD support on it.
09-15-2015 02:42 PM
Instead of doing all this can we add everything in ACS02 to ACS01 manually and setup in distributed mode ?
09-15-2015 03:58 PM
Hello,
Yes, that is something else you can do. Manually add all what you have on ACS02 to ACS01, and once you setup the distributed deployment, you will have a mirror between the 2 ACS.
I proposed the import/export option since you might have a hard time manually adding all the devices, users, and groups into ACS01 in the case you had too many of these configured, but if it is better for you, you can definitely do this manual procedure.
09-18-2015 02:56 PM
Hi,
After migrating all data from ACS02 to ACS01, Do we need to update the tacacs configuration in each and every device (which are present in ACS02 earlier) ? or we can keep it like that because we are doing the distributed mode with full replication, so both the servers contain same data right.
Thanks
09-21-2015 05:21 AM
Hi,
Right, you do not need to add anything manually since ACS01 will replicate all its data to the secondary, with the exception of the information on the bellow link:
http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-7/user/guide/acsuserguide/introd.html#pgfId-1075946
Note: Please marked it as answered if applicable
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide