CiscoACS stops after shutting down Domain Controller.

I have a server running CiscoACS 4.2 on windows 2003. I have 5 domain controllers. I have been working to upgrade our domain  functional level and I finally got to the point where I wanted to shutdown my last win2k domain controllers. I have 4 domain controllers at the main site (2) win2k8R2 and (2) Win2k. I shut down the 2 win2k servers today and all of a sudden Cisco ACS stopped working. I use ACS to authenticate using TACACS+ on my Cisco ASA and for my VPN clients to authenticate to the windows domain. I know my domain is fine, I can log in and authenticate with windows clients after the 2 win2k servers are shut down. The really weird thing is that I can authenticate 1 time after the CSAuth service is restarted and then all attempts fail afterwards. I go ahead and turn one of the win2k DCs back on and Authentication works again!

I am not using LDAP within the ciscoACS server. I am using a "windows database" I'm assuming it's just trying to find "Domain.COM" not just this domain controller by name?

right now my domain is in windows 2000 functional level. I was told others have installed this within a domain that is a win2k8 functional-level so I'm assuming it's not a win2k8 ADS issue? any help would be appreciated!!
LVL 1
jbla9028Asked:
Who is Participating?
 
VespaMaruConnect With a Mentor Commented:
I think the Remote Agents are for the ACS Solution Engine and not for ACS for Windows.  Sorry about that.  Yes, 4.2.1 Is the version compatible with Windows 2008 Domain Controllers.
0
 
jbla9028Author Commented:
Sorry I forgot to mention that I have a 2nd site with 2 domain controllers there. I actually have (6) domain controllers
Site A (site where CiscoACS is installed) 4 - (2) win2k + 2 (win2k8R2)
Site B 2 - (2) Win2k3

0
 
VespaMaruCommented:
Were your primary and secondary ACS Remote Agents on those domain controllers? It could be that.

Under Network Configuration -> ACS_AGENTS network device group make sure you have the new domain controllers listed.  Even though you can put more than 2 DCc in, it seems that ACS will only connect to a primary and a secondary.  You can set this by going to:

External User Databases -> Database Configuration -> Windows Database -> Configure -> Windows Remote Agent Selection.

BIG WARNING -> This WILL reset your Windows Authentication Settings.  When I did it, I basically had to set up ACS/Windows database mappings all over again, so make sure you took screen shots, backups etc.
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
jbla9028Author Commented:
Under network configuration I do not have the option for ACS_AGENTS. I think I might have a version that's incompatible with windows 2008. I am running Cisco ACS 4.2(0) I found there's a patch for windows 2008 that I migth need. Unfortunately I'm just running the trial software right now and it won't allow me to patch the trial.
0
 
Craig BeckConnect With a Mentor Commented:
ACS is supported on Windows Server 2008...

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2.1/Release_Notes/acs421_rn.html

I'm pretty sure you'd need to reinstall ACS, especially if you've raised your domain functional level.
Also, turn off IPv6 on your domain controllers.
0
 
jbla9028Author Commented:
I'm running ACS 4.2(0) not ACS 4.2.1. From this Cisco FAQ it's not supported on 4.2 without a patch which I can't install without a license key. Anyone know if there's a trial version of a version higher than 4.2(0) ?



http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_qanda_item09186a0080094bac.shtml

Q. Is ACS supported on Windows 2008 server platforms?

A. Yes. ACS is supported on Windows Server 2008, and is available from ACS 4.2 Patch 4 and later. Refer to the Windows and Active Directory 2008 Supported Scenarios section in Release Notes for Cisco Secure ACS 4.2 for more information.


0
 
jbla9028Author Commented:
sorry I haven't posted. We purchased ACS and got the 4.2.1 to work without the win 2000 DC. I'd like to award points for the solution
0
 
QlemoBatchelor and DeveloperCommented:
If you post a comment, pressing OBJECT instead of SUBMIT, the question will be available again for closing yourself.
0
 
jbla9028Author Commented:

Open in new window

0
 
jbla9028Author Commented:
Upgrading to 4.2.1 I was able to get the ACS Server running! thanks!
0
All Courses

From novice to tech pro — start learning today.