Windows Server 2025 Domain Join

Server 2025 Domain Join KB ID 0001883

Problem

To perform a  Windows Server 2025 Domain Join (Local Domain). The end process is the same as it’s always been, they’ve just made the job of getting to there a little more convoluted, (this is the same with Windows 11).

 

Solution: Windows Server 2025 Domain Join

Before attempting to join the domain, let’s make sure we can ‘resolve’ the domain name, (because most domain join problems are DNS related). Whilst logged in as a (local) administrative user, click the Windows button > Windows PowerShell.

Ensure you can ‘ping’ the domain name (see below), Also here I verify that the IP address that responds in my domain controller (Note: this will only work if your DNS zone has a correctly setup reverse DNS zone!)

Click the Windows button > System.

System > About.

Advanced System Settings.

   

Computer Name.

Change.

Select ‘Domain’ and enter the domain name > OK > enter credentials that have the rights to join a machine to the domain* > OK

*Note: All domain users have the right to join x10 machines to the domain.

OK > OK.

OK > Restart Now > The server will reboot.

Ensure you don’t mistakenly log on as the local administrator > Other User > Then remember if you are logging on as domain administrator use DOMAIN/Administrator, or administrator@domain-name.domain extension.

Solution: PowerShell Windows Server 2025 Domain Join

Windows button > Open an administrative PowerShell window.

As above, before attempting to join the domain, let’s make sure we can ‘resolve’ the domain name, (because most domain join problems are DNS related).

Use the following syntax.
[box]

Add-Computer -DomainName {your-domain-name}

[/box]

When prompted, provide credentials that have rights to add computer object to the domain.

When successfully joined, you will be asked to reboot.

[box]

Restart-Computer

[/box]

Ensure you don’t mistakenly log on as the local administrator > Other User > Then remember if you are logging on as domain administrator use DOMAIN/Administrator, or administrator@domain-name.domain extension.

Leave a Windows Domain Using PowerShell

Firstly I’m making sure I am correctly domain joined by using the following command.

[box]

Get-WmiObject win32_computerSystem | Select-Object -ExpandProperty domain

[/box]

Then to ‘leave’ the domain use the following command.

[box]

Remove-Computer

[/box]

When prompted reply to Y for yes then to complete the process reboot the server with the following command.

[box]

Restart-Computer

[/box]

Leave a Windows Domain Using GUI

To do the same graphically, it’s just the reverse of a domain join, use the instructions above you get you to the following dialog then select workgroup, and enter the workgroup name.

OK > OK.

Close > Restart Now.

Related Articles, References, Credits, or External Links

How to Join a Windows Domain

Windows: Join Azure AD (AAD)

Windows Server 2022 Domain Join

How to Join Windows 11 to a Domain

Domain Join SID Error

KB ID 0001732

Problem

Thankfully I don’t see a SID error very often these days;

The following error occurred when attempting to join the domain ‘{domain-name}

The domain join cannot be completed because the SID of the domain you attempted to join was identical to the SID of this machine. This is a symptom of an improperly cloned operating system install. You should run Sysprep on this machine in order to generate a new machine SID.

Resolve SID Errors (Joining Domains)

In my case it was a server I was deploying into EVE-NG and I hadn’t ran says-rep on the image, (typically I only need one Windows server in my EVE-NG labs, but this time I needed another), so then I added a second and tried to add it to a domain, this happened. I should know better really!

If you have ever deployed or imaged Windows you can probably guess what the fix is, ‘Run Sysprep‘.

Note: I will probably get emails saying ‘Why not just run NewSID?’, well because it’s not officially supported any more, and sysprep is.

Navigate to C:\Windows\System32\Sysprep and run sysprep.exe > Tick the ‘Generalize’ option > Set the Shutdown option to ‘Reboot” > OK.

Go and have a coffee, when the server reboots, run though the OOBE setup, and try to join the domain again.

Related Articles, References, Credits, or External Links

NA

You Have Exceeded the Maximum Number of Computer Accounts

KB ID 0001536

Problem

A few weeks ago, this was asked in a forum, and while I knew what the problem was, I’d never seen it myself. So I recreated the problem on the test network to look at why it happened, and how to fix / get around the problem.

The following error occurred attempting to join the domain {domain-name}

You computer could not be joined to the domain, You have
exceeded the maximum number of computer accounts you are
allowed to create in this domain. Contact your system|
administrator to have this limit reset or increased.

To be honest there’s no way I can think of to reset that limit, (short of deleting and recreating your domain user account!) So what’s going on? Well every authenticated domain user has the RIGHT to join a computer to the domain, and the amount of computers they can join is limited to 10 (ten).

Exceptions / Users Not Affected

Members of the domain admins group, and users that have been delegated the right to create a computer object are exempt this limit. 

Solution Option 1 – Use an Administrative Account

Pretty straight forward, the easiest way to avoid this is to add computers to the domain using an account that’s a member off the Domain Admins Group.

Solution Option 2 – Raise The Limit From 10

This limit is set at a Domain level, i.e. it’s not set on a particular user, so you have to raise the limit for ALL Users. To do this log onto a domain controller and launch Adsiedit.msc > Connect To > Default Naming Context > OK.

Select CN={Your Domain} > Properties > Locate ms-DS-MachineAccountQuota > Edit > Change the value from 10 to something greater.

Solution Option 3 – Delegate Create Computer Object Right

Locate the OU (or container) that your new computer objects get added to, (I say container because ‘Computers’ is NOT an OU) > Right Click > Delegate Control > Next > Add your domain user > Next > Create a custom task > Next.

Only the following object in the folder > Tick: Computer Objects > Tick: Create selected object in this folder > Next > Tick: Property specific > Tick: Read All Properties > Next > Finish

Solution Option 4 – Pre-Stage Computer Objects in Active Directory

Not very scalable, but you can pre-create the computer object before the computer is joined to the Domain, (providing you know its computer-name / host-name). This can be done in Active directory Users and Computers.

Then you can simply join the computer to the domain.

How Does This Work

When a computer is joined to a domain a few things happen, the account you are using is checked, if it’s a normal, (not delegated or non domain admin) user, then the SID (Security Identifier) of that user is stamped on the COMPUTER object in a value called ms-DS-CreatorSID 

What does NOT happen: There is NOT value on the USER object that increments by one for each machine joined to the domain, the ONLY reference is on the COMPUTER object. Yes this seems inefficient, but there we go that’s how it works.

If the user has delegated rights to create computer objects, or is a member of domain admins then, ms-DS-CreatorSID is left empty, (if you query it using PowerShell or programatically it will return ‘null’).

Finding Out Who Joined a Computer to The Domain

Because of the way this is stamped on the computer, and not the user, then if you want to find out how many computers a particular user, or users, have added it’s not straight forward! If it’s something that’s happened recently you can look on your domain controllers in the security log for Event 4741.

Or if you need to do something complicated, then scripting is your friend!

Getting a List of Computers Joined to a Domain (By User)

Use the following PowerShell, (this is one command if it gets wrapped after you copy/paste it).

[box]

Get-ADComputer -Filter * -Properties ms-DS-CreatorSID | Where-Object -FilterScript { $_."ms-DS-CreatorSID" -ne $Null } | Format-Table -AutoSize -Property Name,@{Label='User';Expression={(New-Object System.Security.Principal.SecurityIdentifier($_."mS-DS-CreatorSID".Value)).Translate([System.Security.Principal.NTAccount]).Value}}

[/box]

Like so;

Related Articles, References, Credits, or External Links

NA

vSphere: Setup Domain Authentication via PSC

KB ID 0001442

Problem

If you separate your PSC (Platform Services Controller) and your vCenter, then you can setup domain authentication on your PSC.

Solution

Log into the web console of the PSC > Appliance Settings > Manage > Active Directory > Join > Supply a the domain name, a domain username and password > OK.

You will see it has been successful as now you have a ‘Leave‘ button.

Configuration > Identity Sources > Add.

Set Identity source type to ‘Active Directory (Integrated Windows Authentication)’ > Enter the domain name > ‘use machine account’ > OK.

Select the newly added domain > Click “Set as Default Domain‘.

Users and Groups > Groups > Administrators > Add.

Change the domain to your Windows domain > Search for your Group. (Note: I have created a group called VMware_Admins, you might simply want to use Domain Admins) > OK.

Select the group > Add.

Swap Over To Your vCenter Server

Select the vCenter > Permissions > Select the Administrator Role > Add.

Just as above, change domain and search for your group then add it in.

Related Articles, References, Credits, or External Links

NA

Ubuntu – Joining / Logging into Windows Domains

KB ID 0000384

Problem

You have a Linux client machine, and you want to authenticate to, and log into a Windows domain. I don’t have too much history with Linux, but from what I’ve read this used to be a nightmare. Using Ubuntu (10.10) I did have a couple of hiccups, but I did get there in the end.

Note: The domain controller is a Windows 2008 R2 Server.

Solution

Notes

1. The commands needed to install the “likewise-open5” package, and join the domain, (assuming the FQDN of the domain is domaina.com and the user name you are using to join the domain is administrator).

[box]sudo apt-get install likewise-open5 sudo domainjoin-cli join domaina.com administrator sudo reboot[/box]

2. Then to allow users to logon from the Ubuntu welcome screen,

[box]sudo nano /etc/samba/lwiauthd.conf[/box]

3. Add the following line (the file will probably be empty), to Save press CTRL+X, then Y, then {enter}.

[box]winbind use default domain = yes[/box]

4. Then reboot.

[box]sudo reboot[/box]

5. To allow sudo for the domain user(s),

[box]sudo nano /etc/sudoers[/box]

Locate the line that reads “#Members of the Admin group may gain root privileges and do the following:”. Below that, type the following (assuming the domain name is domaina and the user is a member of the domain admins group, domain^users also works).

[box]%domainadomain^admins ALL=(ALL) ALL[/box]/p>

Problem 1

Error: Lsass Error [code 0x00080047]

9502 (0x251E) DNS_ERROR_BAD_PACKET – A bad packet was received from a DNS server. Potentially the requested address does not exist.

 

This plagued me for a while, I tried everything I read online (like making sure that my time was correct – which it wasn’t (see below), making sure firewalls were off (they were), make sure your DNS has a reverse lookup zone (mine has), and finally make sure there are no existing DNS records for the IP address you are connecting with (mine did so I deleted them). None of these fixed the problem, to fix it is annoyingly simple.

FIX

Firstly make sure that the Ubuntu client is looking at your domain DNS server, for it’s DNS, the following command will tell you,

[box]cat /etc/resolv.conf[/box]

Then get the domain syntax right, in my case the domain name.

[box]

[WORKS] sudo domainjoin-cli join domaina.com administrator

[WONT WORK] sudo domainjoin-cli join DOMAINA.COM administrator
[WONT WORK] sudo domainjoin-cli join domaina administrator
[WONT WORK] sudo domainjoin-cli join DOMAINA administrator

[/box]

And then it connected faultlessly.

Problem 2

Error: Lsass Error [code 0x00080047]

5 (0x5) ERROR_ACCESS_DENIED – Access is denied.

This turned out to be a variation on the problem above, If you put in the domain name in UPPER CASE you will see this error.

[box]

[WORKS] sudo domainjoin-cli join domaina.com administrator

[WONT WORK] sudo domainjoin-cli join DOMAINA.COM administrator

[/box]

If you would like to add your domain user(s) to the welcome screen click here.

Update 04/01/12

Attention:  PeteNetLive – Suggestion 

Message: Hi,

Thanks very much for you YouTube and description of joining Ubuntu to a domain.  There was however one step extra that I needed to do to enable to logon screen to show users other than the local use and the guest account.  To do this I had to add the following line to /etc/lightdm/lightdm.conf

greeter-show-manual-login=true

I was joining Ubuntu 12.10 to the domain so maybe it is specific to 12.10 since you didn’t experience it but it would be good to add it to your article along with the other fixes to issues.

Thanks again.

From: Roland Elferink

Related Articles, References, Credits, or External Links

Thanks to Roland Elferink for the update.

Original Article written 27/01/11

How to Join a Windows Domain

KB ID 000085

Problem

For Windows 11 See: How to Join Windows 11 to a Domain

This process was done with Windows 10, but the procedure is the same going all the way back to Windows 2000.

Solution

Note: The main reason this procedure fails, is because the client that you are attempting to perform the join from cannot resolve the domain name of your domain! Make sure it has one of your domain servers listed in the properties of its network connection, (or at least a method of resolving the name).

Problems Joining a Domain

1. Press Windows Key +E > Right Click ‘This PC’ > Preoperties.

 

2. Change Settings.

 

3. Computer Name Tab > Change.

4. Enter the domain name > OK..

5. Enter domain credentials, Note: A domain user has the right to join machines to a domain.

6. You should be welcomed to the new domain > OK.

7. You will need to reboot the machine to complete the process. > OK > OK.

8. OK > Restart Now.

Join a Windows Domain with PowerShell

From an administrative PowerShell Window, use the following commands;

[box]

Add-Computer -DomainName Your-Domain-Name
Restart-Computer

[/box]

Related Articles, References, Credits, or External Links

Windows: Join Azure AD (AAD)

WDS – Unattended file – Joining a Domain Automatically

KB ID 0000494 

Problem

During a large rollout the more things you can automate the better, before you continue though be aware of one thing…

You can only automatically join a client to a domain if it has an auto generated random machine name!*

*Note: This is not 100% true, if you pre-stage the computer objects into Active Directory with the GUID of the machine (you can see this on the screen at pXe boot time, or get it from the BIOS) Then you can auto join the machines and they will come in with the correct name. However, if you have a large number of machines to build, this is more time consuming than simply renaming them after they have been imaged.

Solution

Before you begin make sure you are clued up on working with WDS unattended files, run through my instructions here.

The following procedure needs to be added to the images unattended file NOT the WDS Unattended file, (again run through KB0000180 if you are unsure.)

1. While editing your unattended answerfile you need to locate, “Microsoft-Windows-Shell-Setup_neutral”, add it to pass 4 (Specialize) and set the ComputerName entry to * (an asterisk).

Note: In this section you can also enter to windows product code, and owner details, as well as your time zone.

2. Then locate, “Microsoft-Windows-UnattendedJoin”, add it to pass 4 (Specialize). Set the JoinDomain entry to the name of your domain. Set UnsecureJoin to “true”.

4. This procedure will add the following to your unattended file.

 

Related Articles, References, Credits, or External Links

Windows Deployment Services (On Server 2008 R2) Deploying Windows 7

Windows Deployment Services (Server 2003) Deploying Windows XP

 

WDS Deploying Windows  Part 3: Carry Out an Unattended Deployment

KB ID 0000738

Problem

In part two we built our reference machine and took an image of it using WDS. Now to automate the deployments we need to create some unattended answer files, these will answer all the questions that the Windows 8 machines will ask while they are building. We will take those files and import them into the WDS server we configured in part one. Finally to make sure everything is working we will deploy Windows 8.

Solution

Download and Install the Windows Assessment and Deployment Kit for Windows 8

1. We used to have the WAIK for Windows 7, now this has been replaced with the ADK. (download link).

2. It’s a MASSIVE download, it will take a long time.

Create a WDS Distribution Share

1. On a drive that has some room (Approx 5GB should be fine,) create a folder.

2. Launch the System Image Manager.

3. In the top left section > Right click ‘Select a Distribution Share’ > Select ‘Create Distribution Share..’

4. Navigate to the folder you created earlier.

5. Now you don’t need to do this next part, but I copy the full contents of the Windows 8 DVD into this folder as well.

6. Like so.

7. Then in the bottom left section > Right click > ‘Select Windows Image..’.

8. Navigate to the Windows 8 Media > Sources Directory > Select ‘install.wim’.

Note: The install.wim MUST match the version you are going to deploy, it’s no good pointing to a Windows 8 Pro image if you are going to deploy Windows 8 Enterprise.

9. Select the version you are going to deploy > OK.

10. This is normal, select yes to create a catalog file. It will take a while, it has to mount the image, interrogate it and create all the components. Now would be a good time to put the kettle on.

Create the Unattended file for WDS (WDSUnattended.xml)

This unattended file will be just for the WDS settings, it will not be applied to the image you are going to deploy. It sets the keyboard and language settings for WDS to use, then it gives the credentials to connect to WDS, and wipes all the partitions from the target machines hard drive. It then repartitions it ready for deployment.

WARNING: As reiterated below, the disk configuration settings below will wipe the target machines drive of ALL partitions, even manufacturers rescue partitions. If you are imaging machines anyway this should not be a problem, but don’t email me to complain of you lose the recovery files for a laptop/PC while you were practicing!

1. Create a new answer file.

2. The components may not start amd64 (if you are deploying x86 images) and some of the numbers might be different on yours. But the main titles of the components will be the same. Locate Microsoft-Windows-Internationa-Core-WinPE.

3. Add it to Pass 1. If you are unfamiliar with SIM, you add a component (or a sub component) to one of the ‘Passes’ in the center, then you can select that component (or sub component) and set the values for its settings in the top right hand section. The SIM builds an XML file in the background which will become the unattended answer file.

4. You will now see this component under pass 1, select it and set the following settings. (These are for my local English Great Britain settings, you may need to change your settings according to your locale).

InputLocale = en-GB SystemLocale = en-GB UILanguage = en-GB UILanguageFallback = en-GB UserLocale = en-GB

5. Select the SetupUILanguage sub component.

UILanguage = en-GB

Wiping the Targets Hard Drive and Partitions with WDS

6. Locate the Microsoft-Windows-Setup component > Disk Configuration sub component.

7. Add to Pass 1.

8. Right click > Insert New Disk.

9. Expand > Disk > Create Partitions > Right click > ‘Insert New CreatePartition’.

10. Select the DISK.

Disk ID = 0 WillWipeDisk = true

11. Select the Partition.

Extend = true Order = 1 Type = Primary

12. Right click ModifyPartition > Insert New ModifyPartition.

13. With the new ModifyPartition selected.

Action = AddlistItem Active = true Extend = false Format = NTFS Label = SYSTEM Letter = C Order = 1 PartitionID = 1

Select Partition to install Image to

1. Locate the WindowsDeploymentService sub component, (also in Microsoft-Windows-Setup).

2. Add to Pass 1.

3. Expand Image Selection > Install To.

Disk ID = 0 PartitionID = 1

4. Expand Login > Credentials.

Domain = {Your domain name i.e. petenetlive.com would be PETENETLIVE). Password = {Of a user with administrative rights – IT WILL GET OBFUSCATED*). Username = {Of a user with administrative rights).

*I used to say ‘encrypted‘, but thats NOT the case, they are simply Base64 encoded.

Attach the Answerfile to the WDS Server

1. Save the file you have just created.

2. Place it in your Remoteinstall folder in the WdsClientUnattend sub folder.

3. Launch the Windows Deployment Services management console > Expand Servers > Right click your server > Properties.

4. Client tab > Tick to enable unattended installation > I’m deploying x64 bit images so next to that option > Browse.

5. Navigate to and select the file you have just created > Open > Apply > OK.

Create the Unattended file for Your Image (OOBEUnattend.xml)

1. Create a new answer file.

2. Locate the Microsoft-Windows-Shell-Setup component.

3. Add to Pass 4.

4. With the component selected.

ComputerName = * CopyProfile = true (Unless you don’t want to copy the profiles from your source image). ProductKey = Your 25 character Windows 8 unlock code Note: Only put in a code of you are deploying with MAK keys or Retail Keys, if you are planning on using KMS leave this option blank RegisteredOrganization = Your business name. RegisteredOwner = Your owners name. ShowWindowsLive = false {now depreciated for Windows 8} TimeZone = GMT Standard Time Note: For other time zones see here

Automatically Join the Domain

1. Locate the Microsoft-Windows-UnattendedJoin component

2. Add to Pass 4.

3. With Identification selected.

JoinDomain = {Your domain name i.e. petenetlive.com would be PETENETLIVE). UnsecureJoin = true

Set the Image Language and Keyboard Settings

4. Locate the Microsoft-Windows-International-Core component.

5. Add to Pass 7.

6. With the component selected.

InputLocale = en-GB SystemLocale = en-GB UILanguage = en-GB UILanguageFallback = en-GB UserLocale = en-GB

7. Locate the Microsoft-Windows-Shell-Setup component > OOBE sub component

8. Add to Pass 7.

9. With the OOBE sub component selected.

HideEULAPage = true HideLocalAccountScreen = true HideOnlineAccountScreen =true HideWirelessSetupInOOBE = true NetworkLocation = Work {sets the firewall settings} ProtectYourPC = 1

Set the Local Administrator Password and Add a Local Administrator

Note: The local admin account is disabled by default, so here I’m setting the local admin’s password, and then creating a new local admin user called Sysadmin.

1. Locate the Microsoft-Windows-Shell-Setup component > UserAccounts sub component

2. Add to Pass 7.

3. With AdmnistratorPassword selected set the password value.

4. Right click LocalAccounts > Insert New LoacalAccount.

5. With LocalAccount selected.

Action = AddListItem Description = Sysadmin DisplayName = Sysadmin Group = Administrators Name = Sysadmin

6. Then set the password value.

7. Save the answer file.

8. Save the file as OOBEUnattand.xml

Attach the Answer file to the Windows 8 Image

1. Launch the Windows Deployment Services Management console.

2. Locate the Windows 8 Image you are attaching the answer file to > Right click > Properties.

3. Tick the option ‘Allow image to install in unattended mode’ > Select File > Browse.

4. Select the OOBEUnattend.xml file you created earlier.

5. Note: It makes a copy of the file and stores it elsewhere calling it ImageUnattend.xml (watch out for this if you need to edit the answer file and nothing changes!)

Deploy Your Windows 8 Image.

1. Boot your target machine to the network via pXe > Press F12 to boot from the WDS.

2. Install an Image.

3. Select the image you want to deploy.

4. After the install, the machine should reboot and present you with a domain logon.

5. And your programs and settings will be pre-configured.

Related Articles, References, Credits, or External Links

2012 – WDS Deploying Windows 8 Part 2: Prepare Windows 8, and Capture to WDS

How to Join Windows to a Domain

KB ID 0000661 

Problem

If you are struggling with the new Windows UI, then routine tasks like joining a domain can be hard to locate.

Solution

Before you start, I’m assuming there are no problems with your domain and the Windows 8 client can resolve the domain name with DNS.

1. Press Windows Key+X to bring up the advanced context menu > Control Panel > System and Security.

Technical Ninja Tip: You can launch the run command (Windows Key+R) and run the sysdm.cpl shortcut, then jump straight to step 3.

2. System.

3. In the ‘Computer name and workgroup settings’ section > Change Settings > Computer name tab > Change > Select domain and type in the domain name > OK.

4. Provide domain credentials that have the rights to join the domain > OK. (You can also change the computer name on this tab).

Note: A domain user has the right to join ten machines to a domain, but most people use an administrative account.

5. Providing Windows 8 can resolve the domain name, and the credentials you supplied are correct it should join the domain successfully > OK > OK > Reboot the machine.

Related Articles, References, Credits, or External Links

NA

Securing Network Device Access With Cisco ACS (and Active Directory)

KB ID 0000942

Problem

For network identification I have tended to use RADIUS (in a Windows NPS or IAS flavour), in the past. I turned my back on Cisco TACACS+ back in my ‘Studying for CCNA’ days, because back then it was clunky and awful. I have a client that will be installing ACS in the near future, so I thought I would take a look at it again, and was surprised at how much more polished it is. As Cisco plans to roll ACS into Cisco ISE in the future, I’m not sure if it will remain as a separate product. So we may find people using version 5 for a long time yet.

Solution

I’m deploying ACS version 5.5 as a virtual appliance, remember to give it at least 60GB of hard drive or the install will fail. If you are installing on VMware workstation, choose the ‘I will install the operating system later’ option and manually present the CD image or it will also fail.

When you have run through the initial setup on the appliance it will set;

  • Hostname.
  • IP Address.
  • Subnet Mask.
  • Default Gateway.
  • DNS Domain Name.
  • DNS IP Address.
  • Secondary DNS (if required).
  • NTP Server IP address. (Ensure UDP port 123 is open or this will fail).
  • Secondary NTP (if required).
  • Timezone.
  • Username.
  • Password.

Then connect via a web browser (https);

  • Username: ACSAdmin
  • Password: default

1. Join the ACS appliance to your domain. Users and Identity Stores > External Identity Stores > Active Directory > Join/Test Connection > Enter Domain Credentials > Join.

2. Be patient it can take a couple of minutes, wait till it says ‘Joined and Connected’.

3. Make sure you already have some groups in active directory that you want to grant access to, here I’ve got a full-access group and a read-only access group.

Note: I’m going to grant privilege level 15 to full-access, and privilege level 1 to read-only, (yes I know they can still escalate to configure terminal mode, but you can always restrict level 1 so it can only use the show command if you like).

4. Back in ACS > Directory Groups > Add > Add in your Groups > OK.

5. Create a Shell Policy: Policy Elements > Authorization and Permissions > Shell Profiles > Create > First create one for level 15 (full-access).

6. Common Tasks tab > Default Privilege > Static > 15 > Submit.

7. Then repeat to create a profile for read-only (level 1) access.

8. Common Tasks tab > Default Privilege > Static > 1 > Submit.

9. Access Policies > Access Services > Default Device Admin > Identity >Select > AD1 (this got created when you joined the domain earlier) > OK.

10. Access Policies > Access Services > Default Device Admin > Authorisation > Customise > Add ‘Compound Condition’ > OK.

11. Create > Tick ‘Compound Condition’ > Select > ExternalGroups > Select your full-access group.

12. Add > Shell Profile > Select > Select the full-access profile > OK.

13. Repeat for the read-only group.

14. Set the shell profile to read-only access > OK.

15. Access Policies > Service Selection Rules > Create > Set to Match Protocol TACACS > Set the service to Default Device Admin > OK.

16. Network Resources > Network Devices and AAA Clients > Enter the details of your Cisco device and set a shared key, (here I’m using 666999) > Submit.

17. Make the necessary changes on your Cisco devices, like so;

Cisco IOS TACACS+ Config

[box]

Petes-Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-Router(config)#aaa new-model
Petes-Router(config)#aaa authentication login default group tacacs+ local
Petes-Router(config)#aaa authorization exec default group tacacs+ local
Petes-Router(config)#aaa authorization console
Petes-Router(config)#tacacs-server host 10.254.254.22
Petes-Router(config)#tacacs-server key 666999
Petes-Router(config)#end
Petes-Router#
*Mar 1 00:10:24.691: %SYS-5-CONFIG_I: Configured from console by console
Petes-Router#write mem
Building configuration...
[OK]
Petes-Router# 

[/box]

Cisco ASA 5500 (and Next Generation) TACACS+ Config

[box]

Petes-ASA# configure terminal
Petes-ASA(config)# aaa-server PNL-AAA-TACACS protocol tacacs+
Petes-ASA(config-aaa-server-group)# aaa-server PNL-AAA-TACACS (inside) host 10.254.254.22
Petes-ASA(config-aaa-server-host)# key 666999
Petes-ASA(config-aaa-server-host)# exit
Petes-ASA(config)#

-=-=-=-=-Authentication-=-=-=-=-
ASDM Authentication

Petes-ASA(config)# aaa authentication http console PNL-AAA-TACACS LOCAL 
Console Authentication

Petes-ASA(config)# aaa authentication serial console PNL-AAA-TACACS LOCAL
SSH Authentication

Petes-ASA(config)# aaa authentication ssh console PNL-AAA-TACACS LOCAL
Telnet Authentication

Petes-ASA(config)# aaa authentication telnet console PNL-AAA-TACACS LOCAL

Enable Mode Command Protection Authentication

Petes-ASA(config)# aaa authentication enable console PNL-AAA-TACACS LOCAL
-=-=-=-=-Authorisation-=-=-=-=-

Petes-ASA(config)# aaa authorization command PNL-AAA-TACACS LOCAL
Petes-ASA(config)# privilege show level 5 mode configure configure command aaa

<repeat as necessary - Note: Turn it on with the ASDM with command preview enables and you can copy paste all the commands out and edit them accordingly>
-=-=-=-=-Accounting-=-=-=-=-

Petes-ASA(config)# aaa accounting command PNL-AAA-TACACS

[/box]

18. Now you can test, here I connect as a user with read-only access (Note: I have a greater than prompt, I’m in user EXEC mode). Then when I connect as a full-access user (Note: I have a hash prompt. I’m in privileged EXEC mode).

19. The results are the same if I connect via SSH.

Enabling TACACS+ Though a Firewall

Sometimes, e.g. you have a switch in a DMZ or a router outside your firewall that you want to secure with TACACS. To enable this you simply need to open TCP port 49, from the device you are securing with TACACS to the ACS server.

Related Articles, References, Credits, or External Links

JunOS – Using TACACS+ With Cisco ACS