Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS 5.2 windows 2003 AD cannot join

Hi All,

  I am trying to lab up an ACS5.2 with windows 2003 AD for PEAP authentication. But my ACS does not join the AD and throws an error "can not resolve network address". But when i do an nslookup on ACS CLI , the same domain wireless.abc.com is returning with the IP address of my AD. I think i am missing something in windows AD/DNS configs here as i am not a windows AD expert.

1) My AD domain is wireless.abc.com. In my DNS, i have a zone called wireless.abc.com. and i have added "New Host" in that DNS zone with the "name" as blank and providing IP address of my AD (AD and DNS are on same windows installation) . Is this the right way to do ?

2) I should be entering "wireless.abc.com" in the ACS active directory domain name field and do test connection. right ?

regards

Joe

15 REPLIES

ACS 5.2 windows 2003 AD cannot join

Hi,

Do you have both forward and reverse records configured for ACS?

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

ACS 5.2 windows 2003 AD cannot join

Hi Tarik,

  I didnt configure reverse lookup zone, but only forward lookup zone. What is that for ? when i try to create new zone under reverse lookup, its asking for Network ID. what would that be ? thanks for assisting, i do not know much about Windows server side configs.

regards

Joe

ACS 5.2 windows 2003 AD cannot join

Network ID is the subnet that the reverse records will be entered in..for example if acs 192.168.1.1 then you will create a reverse zone for 192.168.1 so when you create the A record and set the option to create the PTR record it will know where to place it.

Thanks and good luck!

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

ACS 5.2 windows 2003 AD cannot join

Ok I tried that. but still same , cannot resolve network address. I guess its something to do with how i have named things in AD and DNS. As i mentioned, its resolving properly in the ACS Cli, so i am assuming DNS is working fine even without the reverse records ?

regards

Joe

ACS 5.2 windows 2003 AD cannot join

Can you post the results of the cli command and a screenshot of how you are joining to AD?

thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

ACS 5.2 windows 2003 AD cannot join

acs/admin# nslookup wirelesslab.xxxx.com

Trying "wirelesslab.xxxx.com"

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24468

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:

;wirelesslab.xxxx.com.                IN      ANY

;; ANSWER SECTION:

wirelesslab.xxxx.com. 600     IN      A       10.10.210.6

wirelesslab.xxxx.com. 3600    IN      NS      LAB-WCS.wirelesslab.xxxx.com.

wirelesslab.xxxx.com. 3600    IN      SOA     LAB-WCS.wirelesslab.xxxx.com. hostmaster.wirelesslab.xxxx.com. 29 900 600 86400 3600

;; ADDITIONAL SECTION:

LAB-WCS.wirelesslab.xxxx.com. 3600 IN A       10.10.210.6

Received 141 bytes from 10.10.210.6#53 in 0 ms

acs/admin#

New Member

ACS 5.2 windows 2003 AD cannot join

I did a wireshark of this communication and i see this in the request from ACS under DNS queries in the capture :

_ldap._tcp.wirelesslab.xxxx.com: type SRV, class IN

and the response from DNS server has this :

Flags: 0x8583 (Standard query response, No such name)

ACS 5.2 windows 2003 AD cannot join

So the result of the dns query is not the domain controller correct? Is it just a member server?

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

ACS 5.2 windows 2003 AD cannot join

Nope, its returning the correct IP address of the domain controller (10.10.210.6) .

wirelesslab.xxxx.com. 600     IN      A       10.10.210.6

There is only one server , domain controller and DNS in same server.

New Member

ACS 5.2 windows 2003 AD cannot join

Computer name of the domain controller is LAB-WCS.wirelesslab.xxx.com. Domain name is wirelesslab.xxx.com. Should it return the computer name in the DNS response ? But i tried creating LAB-WCS.wirelessslab.xxx.com as well in DNS, but still same result.

regards

Joe

Re: ACS 5.2 windows 2003 AD cannot join

Hi,

There seems to be an issue with this DC not registering itself as a DC for some reason, this record is needed and should be updated by all DCs:

http://technet.microsoft.com/en-us/library/cc961719.aspx

The following is a list of the owner names of the SRV records that  are registered by Net Logon. An owner name is the name of the DNS node  to which the resource record pertains.

_ldap._tcp. DnsDomainName .

Allows a client to locate a server that is running the LDAP service in the domain named by  DnsDomainName . The server is not necessarily a domain controller — that is, the only  assumption that can be made about the server is that it supports the  LDAP application programming interface (API). All Windows 2000  Server–based domain controllers register this SRV record (for example,  _ldap._tcp.reskit.com.).

Can you check your AD settings under domains and see if this domain controller appears as a DC for the wireless.xxx.com domain?

Can you run the dcdiag on this dc (dcdiag /s: LAB-WCS)

http://technet.microsoft.com/en-us/library/cc776854%28v=ws.10%29.aspx

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

ACS 5.2 windows 2003 AD cannot join

Hi,

  Here is the output from dcdiag :

C:\Program Files\Support Tools>dcdiag /s:lab-wcs

Domain Controller Diagnosis

Performing initial setup:

   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\lab-wcs

      Starting test: Connectivity

         The host a4918344-ca43-4962-bb52-5a9a5c3dbe9b._msdcs.wirelesslab.xxx

.com could not be resolved to an

         IP address.  Check the DNS server, DHCP, server name, etc

         Although the Guid DNS name

         (a4918344-ca43-4962-bb52-5a9a5c3dbe9b._msdcs.wirelesslab.xxx.com)

         couldn't be resolved, the server name (lab-wcs.wirelesslab.xxx.com

         resolved to the IP address (172.18.50.21) and was pingable.  Check

         that the IP address is registered correctly with the DNS server.

         ......................... lab-wcs failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\lab-wcs

      Skipping all tests, because server lab-wcs is

      not responding to directory service requests

   Running partition tests on : ForestDnsZones

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test CrossRefValidati

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test CrossRefValidati

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidatio

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : wirelesslab

      Starting test: CrossRefValidation

         ......................... wirelesslab passed test CrossRefValidation

      Starting test: CheckSDRefDom

         ......................... wirelesslab passed test CheckSDRefDom

   Running enterprise tests on : wirelesslab.xxx.com

      Starting test: Intersite

         ......................... wirelesslab.xxx.com passed test Intersit

      Starting test: FsmoCheck

         ......................... wirelesslab.xxx.com passed test FsmoChec

ACS 5.2 windows 2003 AD cannot join

Just to check again, this is a standalone dc in its own domain and forest correct? If so, can you run dcpromo (start > Run) and see if it shows up as a domain controller or run through the steps again?

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

ACS 5.2 windows 2003 AD cannot join

HI Tarik,

  Thanks for your support. It started working after stop and start of netlogon.

regards

Joe

ACS 5.2 windows 2003 AD cannot join

Sounds good and i am glad you got this working, thanks for following up!

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
966
Views
0
Helpful
15
Replies
CreatePlease to create content