Distributed mode in ACS server

neteng783 · ‎09-11-2015

Hi guys,

We have two ACS servers( ACS01, ACS02) running on VM( with latest 5.7 version), both contain different sets of data. we want to keep those two servers in distributed mode(ACS01 as primary and ACS02 as secondary) with full replication, if i set it up like that the data present in the ACS02 will be over written by ACS01. So is there process in moving the data present in ACS02 to ACS01 and set up those two in distributed mode.

Both ACS have different active directories present in different domains.

Thanks

Ivan Gonzalez · ‎09-11-2015

Hi,

There is not actually an easy way to merge these 2 databases, what you will have to do is try to export/import the data that can be done using .csv option ( only Network devices, NDGs, Users, Identity groups, and command sets are exportable ), the rules and all other settings will have to be configured manually.

And related to the AD domain, the ACS will only be able to join to one single domain, if you want to be able to authenticate users from a foreign domain, it will be necessary to create a 2 way trust relationship between the 2 domains ( the one ACS will be joining to and the foreign domain).

After doing that, users from foreign domain will have to enter username+domain name to be able to authenticate.

Note: Please marked as answered if applicable.

neteng783 · ‎09-11-2015

Hi ivangonz,

If i export that data from ACS02 and import it in ACS01, does it impact the data that is already present in ACS01 ?

Can we migrate data from one active directory to another active directory ?

If you don't mind can you please share some links or procedures of how to do all this process. I am not much aware of these topics on ACS.

Thanks.

Ivan Gonzalez · ‎09-14-2015

Hello,

The best link I might be able to provide for this procedures is the following:

http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-7/user/guide/acsuserguide/my_wkspc.html#pgfId-1131893

When importing and exporting this data you are able to either only add ( to the existing data) or or overwrite all the data that you already have, so you will able to add the data from one ACS to the other without loosing your current database.

And related to your concern if you are able to migrate data from one AD to the other, I have read it is possible by using a tool called ADMT (Active Directory Migration Tool), but not quite sure about the details on how to do it. You might want to get some AD support on it.

neteng783 · ‎09-15-2015

Instead of doing all this can we add everything in ACS02 to ACS01 manually and setup in distributed mode ?

Ivan Gonzalez · ‎09-15-2015

Hello,

Yes, that is something else you can do. Manually add all what you have on ACS02 to ACS01, and once you setup the distributed deployment, you will have a mirror between the 2 ACS.

I proposed the import/export option since you might have a hard time manually adding all the devices, users, and groups into ACS01 in the case you had too many of these configured, but if it is better for you, you can definitely do this manual procedure.

neteng783 · ‎09-18-2015

Hi,

After migrating all data from ACS02 to ACS01, Do we need to update the tacacs configuration in each and every device (which are present in ACS02 earlier) ? or we can keep it like that because we are doing the distributed mode with full replication, so both the servers contain same data right.

Thanks

Ivan Gonzalez · ‎09-21-2015

Hi,

Right, you do not need to add anything manually since ACS01 will replicate all its data to the secondary, with the exception of the information on the bellow link:

http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-7/user/guide/acsuserguide/introd.html#pgfId-1075946

Note: Please marked it as answered if applicable