topic Re: Cisco ISE with AD Problem: "Could not read groups data: Glob in Network Access Control

Cisco ISE with AD Problem: "Could not read groups data: Global catalog not found"

Pongsatorn Maneesud — Mon, 11 Mar 2019 02:51:39 GMT

Hi all,

When I make the ActiveDirectory integration with Cisco ISE, I have complete with this integration. but when I try to read the Groups from Active Directory, ISE shows the message "Could not read groups data: Global catalog not found".

My Domain has multiple sites and subnets, each contains GC for local logon. I have set ISE to the correct site and subnet. Forward and Reverse DNS are working with no error.

Does anyone get this problem, please help.

I have check into the ISE CLI Reference Guide 1.1.x

You are about to configure Active Directory settings.

Are you sure you want to proceed? y/n [n]: y

Parameter Name: dns.servers

Parameter Value: 10.77.122.135

Active Directory internal setting modification should only be performed if approved by ISE 
support. Please confirm this change has been approved y/n [n]: y

What shoud I set in the Parameter Name ? dns.servers or my dns hostname ?

Please suggest for this too.

Thanks and Regards,

Pongsatorn M.

Re: Cisco ISE with AD Problem: "Could not read groups data: Glob

jw.sl9 — Wed, 05 Dec 2012 17:14:41 GMT

Just checking...

Did you join by GUI?
How many Nodes in your deployment?
Did you join all the nodes running the Policy Service persona?
Why are/did you modify the CLI settings?

And

Have you run a Detail Test? If not, do so. If so, zip it up and attach it to a reply post.

I hope you find this answer useful, if it was satisfactory for you, please mark the question as Answered.

Please rate post you consider useful.
-James

Re: Cisco ISE with AD Problem: "Could not read groups data: Glob

Pongsatorn Maneesud — Thu, 06 Dec 2012 02:15:48 GMT

Hi jw

1. I'm join by GUI.

2. 4 Nodes in my deployment

2 for Admin with Monitoring

2 for Policy Service

3. Now I split ISE to Standalone node and try to join AD

4. I just see this CMD in the CLI document and do nothing with this command.

5. I run a Details Test then Its fail but it able to join Domain

in my domain infrastructure, I have 4 Sites contain many subnets inside. Each site contains 2 Server for GC service

DNS record found: _ldap._tcp.xxxx

Found SRV records : more than 10 SRV records

Thanks,

Pongsatorn M.

Cisco ISE with AD Problem: "Could not read groups data: Global c

jw.sl9 — Thu, 06 Dec 2012 03:03:59 GMT

send the detail results

I hope you find this information useful, if it was satisfactory for you, please mark the question as Answered.

Please rate post you consider useful.
-James

Cisco ISE with AD Problem: "Could not read groups data: Global c

Tarik Admani — Thu, 06 Dec 2012 06:15:24 GMT

Hi,

Do not use google chrome, try using mozilla instead (ise does not play nice with chrome). Also check your sites and services information and see if there domain controllers listed for the subnet that ISE is connected to.

Thanks,

Tarik Admani
*Please rate helpful posts*

Re:Cisco ISE with AD Problem: "Could not read groups data: Globa

Pongsatorn Maneesud — Thu, 06 Dec 2012 14:45:18 GMT

Hi,
Site and subnet is set. it still not working.

But I fixes it already using CLI reference guide.
"application configure ise"

ISE should describe more integration requirements about this. 😞

Sent from Cisco Technical Support Android App

Cisco ISE with AD Problem: "Could not read groups data: Global c

gschmitt.ngit — Wed, 02 Jan 2013 19:48:14 GMT

Hi Pongsatorn,

What was your CLI fix for this problem?

I am seeing the same thing in a resent deployment.

Cheers,

Greg

Re:Cisco ISE with AD Problem: "Could not read groups data: Globa

Pongsatorn Maneesud — Thu, 03 Jan 2013 17:00:10 GMT

Hi Greg,

Can you explain more about your deployment ?

Can you expalin more about the Active Directory Infrastructure in your site ?

What happen when you open your command-line and type "netdom query fsmo" ?

However, this is my working solution for me

I using this command below to fix my issue.

"application configuration ise"

Then I select option 3 to make a static Active Directory setting

Parameter Name: dns.servers --> not change to anything you think before just type "dns.servers"

Parameter Value: 1.2.3.4 --> Point to your AD IP address

Then select option 5 after that option 4

Hope this help

Regards,

Pongsatorn

Re:Cisco ISE with AD Problem: "Could not read groups data: Globa

gschmitt.ngit — Thu, 03 Jan 2013 17:58:25 GMT

Hi Pongsatorn,

Thanks for the reply!

I've attached the results of the ISE detailed AD test. As you can see, there is a fair number of domain controllers in the AD forest.

It seems everything works correctly until it gets to testing the AD connectivity on port 3268. Then I get this:

Testing Active Directory connectivity:

Global Catalog: pdascdc02.xyz.com

gc: 3268/tcp - refused

Testing Active Directory connectivity:

Global Catalog: pdascdc02.xyz.com

gc: 3268/tcp - refused

For some reason, the request to the controllers on port 3268 is being refused.

Any thoughts you might have are greatly appreciated.

Cheers,

Greg