CiscoACS stops after shutting down Domain Controller.

Posted on 2011-03-09
Last Modified: 2012-05-11
I have a server running CiscoACS 4.2 on windows 2003. I have 5 domain controllers. I have been working to upgrade our domain  functional level and I finally got to the point where I wanted to shutdown my last win2k domain controllers. I have 4 domain controllers at the main site (2) win2k8R2 and (2) Win2k. I shut down the 2 win2k servers today and all of a sudden Cisco ACS stopped working. I use ACS to authenticate using TACACS+ on my Cisco ASA and for my VPN clients to authenticate to the windows domain. I know my domain is fine, I can log in and authenticate with windows clients after the 2 win2k servers are shut down. The really weird thing is that I can authenticate 1 time after the CSAuth service is restarted and then all attempts fail afterwards. I go ahead and turn one of the win2k DCs back on and Authentication works again!

I am not using LDAP within the ciscoACS server. I am using a "windows database" I'm assuming it's just trying to find "Domain.COM" not just this domain controller by name?

right now my domain is in windows 2000 functional level. I was told others have installed this within a domain that is a win2k8 functional-level so I'm assuming it's not a win2k8 ADS issue? any help would be appreciated!!
Question by:jbla9028
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Author Comment

ID: 35087095
Sorry I forgot to mention that I have a 2nd site with 2 domain controllers there. I actually have (6) domain controllers
Site A (site where CiscoACS is installed) 4 - (2) win2k + 2 (win2k8R2)
Site B 2 - (2) Win2k3


Expert Comment

ID: 35087779
Were your primary and secondary ACS Remote Agents on those domain controllers? It could be that.

Under Network Configuration -> ACS_AGENTS network device group make sure you have the new domain controllers listed.  Even though you can put more than 2 DCc in, it seems that ACS will only connect to a primary and a secondary.  You can set this by going to:

External User Databases -> Database Configuration -> Windows Database -> Configure -> Windows Remote Agent Selection.

BIG WARNING -> This WILL reset your Windows Authentication Settings.  When I did it, I basically had to set up ACS/Windows database mappings all over again, so make sure you took screen shots, backups etc.

Author Comment

ID: 35087804
Under network configuration I do not have the option for ACS_AGENTS. I think I might have a version that's incompatible with windows 2008. I am running Cisco ACS 4.2(0) I found there's a patch for windows 2008 that I migth need. Unfortunately I'm just running the trial software right now and it won't allow me to patch the trial.
DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.


Accepted Solution

VespaMaru earned 400 total points
ID: 35087918
I think the Remote Agents are for the ACS Solution Engine and not for ACS for Windows.  Sorry about that.  Yes, 4.2.1 Is the version compatible with Windows 2008 Domain Controllers.
LVL 46

Assisted Solution

by:Craig Beck
Craig Beck earned 100 total points
ID: 35092908
ACS is supported on Windows Server 2008...

I'm pretty sure you'd need to reinstall ACS, especially if you've raised your domain functional level.
Also, turn off IPv6 on your domain controllers.

Author Comment

ID: 35098335
I'm running ACS 4.2(0) not ACS 4.2.1. From this Cisco FAQ it's not supported on 4.2 without a patch which I can't install without a license key. Anyone know if there's a trial version of a version higher than 4.2(0) ?

Q. Is ACS supported on Windows 2008 server platforms?

A. Yes. ACS is supported on Windows Server 2008, and is available from ACS 4.2 Patch 4 and later. Refer to the Windows and Active Directory 2008 Supported Scenarios section in Release Notes for Cisco Secure ACS 4.2 for more information.


Author Comment

ID: 35314480
sorry I haven't posted. We purchased ACS and got the 4.2.1 to work without the win 2000 DC. I'd like to award points for the solution
LVL 70

Expert Comment

ID: 35314693
If you post a comment, pressing OBJECT instead of SUBMIT, the question will be available again for closing yourself.

Author Comment

ID: 35315992

Open in new window


Author Closing Comment

ID: 35316000
Upgrading to 4.2.1 I was able to get the ACS Server running! thanks!

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Configuring NAT in ASA ver. 9.1 4 51
DNS and Promoting Server 2012R2 to DC Issues 10 48
VPN Exposure 19 39
AT&T sip management portal 7 28
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question