https://community.cisco.com/t5/network-access-control/ise-ad-integration-issues/m-p/2212544#M100166 <HTML><HEAD></HEAD><BODY><P>thanks for the replies. I'll work through the information and post back the outcome.<BR /><BR />Sent from Cisco Technical Support iPhone App</P></BODY></HTML> Wed, 26 Jun 2013 03:14:56 GMT James Smith 2013-06-26T03:14:56Z https://community.cisco.com/t5/network-access-control/ise-ad-integration-issues/m-p/2212541#M100163 <P>G'day All, </P><P></P><P>I am attempting to ad my primary admin node to AD, but I am receving the following error message in the ISE gui. </P><P></P><P>using Writable Domain Controller: addc01.abc.com</P><P>Update Computer DnsName Failed.</P><P>User Does Not Have Update Privileges On The DNSHostName Attribute.</P><P></P><P>Error: Either User <A href="mailto:ise_ad@abc.com" target="_blank">ise_ad@abc.com</A> Does Not Have Sufficient Permissions To Join</P><P>Domain Abc.com, Zone Null</P><P>Or This Computer Already Has An Account In The Domain.</P><P>In Order To Rejoin, You Must Have Domain Administrator Privileges.</P><P></P><P>Join To Domain&nbsp; Abc.com , Zone&nbsp; Null&nbsp; Failed</P><P></P><P>The detailed test passes fine. I don't see any NTP errors and DNS is completely resolvable at both ends. </P><P></P><P></P><P>Any assistance is greatly appreciated guys. </P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P></P><P>James</P> Mon, 11 Mar 2019 03:34:56 GMT https://community.cisco.com/t5/network-access-control/ise-ad-integration-issues/m-p/2212541#M100163 James Smith 2019-03-11T03:34:56Z https://community.cisco.com/t5/network-access-control/ise-ad-integration-issues/m-p/2212542#M100164 <HTML><HEAD></HEAD><BODY><P> hi,</P><P>I think I had similar problem in the past so check:</P><P>- whether u got PTR record (so reverse lookup zone must be configured as well).</P><P>- your CLI dns points the right server with this records</P><P>- your CLI domain name is the same as AD</P><P></P><P>regards</P><P>Przemek</P></BODY></HTML> Tue, 25 Jun 2013 06:19:09 GMT https://community.cisco.com/t5/network-access-control/ise-ad-integration-issues/m-p/2212542#M100164 Przemyslaw Konitz 2013-06-25T06:19:09Z https://community.cisco.com/t5/network-access-control/ise-ad-integration-issues/m-p/2212543#M100165 <HTML><HEAD></HEAD><BODY><P style="line-height: normal;">This happen due to incorrect DNS entry on DNS server also make sure that your user which you are using to join the domain have administrator right on AD. Cross check that you are able to resolve the name of your domain and vice versa.</P><P style="line-height: normal;">For more detail you can check the below link</P><P></P><P><A href="http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_troubleshooting.html#wp1049448">http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_troubleshooting.html#wp1049448</A></P></BODY></HTML> Tue, 25 Jun 2013 08:25:58 GMT https://community.cisco.com/t5/network-access-control/ise-ad-integration-issues/m-p/2212543#M100165 Ravi Singh 2013-06-25T08:25:58Z https://community.cisco.com/t5/network-access-control/ise-ad-integration-issues/m-p/2212544#M100166 <HTML><HEAD></HEAD><BODY><P>thanks for the replies. I'll work through the information and post back the outcome.<BR /><BR />Sent from Cisco Technical Support iPhone App</P></BODY></HTML> Wed, 26 Jun 2013 03:14:56 GMT https://community.cisco.com/t5/network-access-control/ise-ad-integration-issues/m-p/2212544#M100166 James Smith 2013-06-26T03:14:56Z https://community.cisco.com/t5/network-access-control/ise-ad-integration-issues/m-p/2212545#M100167 <P>I had a similar problem.</P><P>&nbsp;</P><P>I received the following error:</P><P>Using domain controller: paprowdc.domain.corp writable=true<BR />Update Computer dnsName failed.<BR />User does not have update privileges on the dNSHostName attribute.</P><P>Error: Either user user_ad@domain.corp &nbsp;does not have sufficient permissions to join<BR />&nbsp;domain domain.corp, zone null<BR />&nbsp;or this computer already has an account in the domain.<BR />In order to rejoin, you must have Domain Administrator privileges.</P><P>Join to domain `domain.corp`, zone `null` failed.</P><P>&nbsp;</P><P>The problem was solved, adding the privilege for add machine object on the AD to the user user_ad.</P><P>&nbsp;</P><P>Regards,</P> Tue, 18 Mar 2014 20:51:59 GMT https://community.cisco.com/t5/network-access-control/ise-ad-integration-issues/m-p/2212545#M100167 khernandezruiz 2014-03-18T20:51:59Z https://community.cisco.com/t5/network-access-control/ise-ad-integration-issues/m-p/2212546#M100168 <P><SPAN style="font-size:12px;"><SPAN style="font-family:verdana,geneva,sans-serif;">James, I agree with the above reply by&nbsp;<A about="/users/khernandezruiz" class="username" datatype="" href="https://community.cisco.com/users/khernandezruiz" property="foaf:name" style="background-color: rgb(247, 247, 247);" title="View user profile." typeof="sioc:UserAccount" lang="">khernandezruiz</A></SPAN></SPAN></P><P><SPAN style="font-size:12px;"><SPAN style="font-family:verdana,geneva,sans-serif;">AD account required for domain access in ACS should have either of the&nbsp;following:<BR />- Add workstations to domain user right in corresponding domain.<BR />- Create Computer Objects or Delete Computer Objects permission on&nbsp;corresponding computers container where ACS machine's account is&nbsp;precreated (created before joining ACS to the domain).</SPAN></SPAN></P><P>&nbsp;</P><P><SPAN style="font-size:12px;"><SPAN style="font-family:verdana,geneva,sans-serif;">Regards,</SPAN></SPAN></P><P><SPAN style="font-size:12px;"><SPAN style="font-family:verdana,geneva,sans-serif;">Jatin Katyal</SPAN></SPAN></P><P><SPAN style="font-size:12px;"><SPAN style="font-family:verdana,geneva,sans-serif;">*Do rate helpful posts*</SPAN></SPAN></P> Wed, 19 Mar 2014 03:34:57 GMT https://community.cisco.com/t5/network-access-control/ise-ad-integration-issues/m-p/2212546#M100168 Jatin Katyal 2014-03-19T03:34:57Z