topic Re: ISE AD failover in Network Access Control

ISE AD failover

steveklem — Mon, 11 Mar 2019 03:17:25 GMT

Hi,

I have a ISE 1.1.3.124 VM operating in standalone mode that is authenticating devices against AD. The AD environment consists of multiple member servers, and while this is working fine, when the Domain controller that the ISE Displays it is connected to fails,

In normal operating mode under External Identity Sources -> Active Directory the management web page displays the following status:

"Connected to: mydc01.mydomain.com"

However when I shutdown the this domain controller, it displays the following status even there are more Domain Controllers in the network.

"Joined to Domain but Disconnected"

In the CLI config, I have added all of the Domain Controllers IP addresses using the "ip name-server" command

Now any authentications fail with the following message "24444 Active Directory operation has failed because of an unspecified error in the ISE"

Can the ISE be configured to look at more than 1 AD server?

Appreciate any help on this.

ISE AD failover

huangedmc — Wed, 10 Apr 2013 13:45:47 GMT

Could someone shed some light into this?

I'm curious as well.

Both of our ISE nodes are joined to the same DC, even though I've tried leaving domain, and re-joining.

If a DC failure would disable the entire external ID store, we'd like to know if there's a wordaround.

thx

ISE AD failover

Venkatesh Attuluri — Thu, 11 Apr 2013 06:38:43 GMT

This link might be helpfull

http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_45_multiple_active_directories.pdf

ISE AD failover

huangedmc — Thu, 11 Apr 2013 13:55:50 GMT

Thank you for providing the link.

I've read that TrustSec2.1 guide.

While it provides instruction on how to allow ISE to communicate to multiple AD domain's, it does not address the specific issue that the OP and I have.

When an ISE node joins to an AD domain, and says "Connected to: mydc01.mydomain.com", why does ISE lose connection to the domain altogether, when "mydc01" fails, and there are other domain controllers available?

ISE AD failover

david.tran — Fri, 12 Apr 2013 19:55:21 GMT

I have ISE in VMWare standalone mode with IP address of 192.168.1.3 and AD1 server of 192.168.1.1 and AD2 server of 192.168.1.2 in Active Directory of CCIESEC. I've successfully added ISE into the Active Directory and it is shown as "connected"

When i shutdown AD1, I still can run the "detail test connection" on ISE to AD with AD1 offline without any issues. The same thing when AD2 is offline and AD1 is online. In other words, ISE function fine.

It works with both ISE 1.1.2 patch-5 and 1.1.3 patch-1 in my test environment.

Re: ISE AD failover

steveklem — Fri, 12 Apr 2013 20:38:48 GMT

Thanks David, yes the detailed test does seem to work in this scenario (it did for me) but have you tried to actually authenticate a device against AD while it is down. This is when it fails.

Sent from Cisco Technical Support iPhone App

Re: ISE AD failover

david.tran — Fri, 12 Apr 2013 21:00:59 GMT

I've NOT tried that yet. I do notice the followings: AD1 is ad1.cciesec.com AD2 is ad2.cciesec.com

On the ISE, it shows me that it is connected to ad1.cciesec.com. When I shutdown ad1.cciesec.com, if I refresh the page, it shows me that it is connected to ad2.cciesec.com

Re: ISE AD failover

david.tran — Fri, 12 Apr 2013 21:11:16 GMT

Steve,

Have you opened a TAC case with Cisco on this? This has definitely made me very nervous about this.

Re: ISE AD failover

steveklem — Fri, 12 Apr 2013 21:40:31 GMT

No I haven't yet David, thought I'd put it to the forum first, but like you said maybe I should.

Sent from Cisco Technical Support iPhone App

Re: ISE AD failover

david.tran — Fri, 12 Apr 2013 21:43:00 GMT

Steve,

What version of ISE are you running? appliance or VM? Can you share the "show version output"?

Thanks,

David

ISE AD failover

steveklem — Mon, 15 Apr 2013 00:39:34 GMT

Hi David,

I am running VM.

"show version" output below.

Thanks,

Steve.

Cisco Application Deployment Engine OS Release: 2.0

ADE-OS Build Version: 2.0.4.018

ADE-OS System Architecture: i386

Hostname: alxise01

Version information of installed applications

---------------------------------------------

Cisco Identity Services Engine

---------------------------------------------

Version : 1.1.3.124

Build Date : Thu Feb 7 17:55:38 2013

Install Date : Thu Mar 14 10:27:53 2013

ISE AD failover

askhuran — Wed, 24 Apr 2013 00:47:52 GMT

An Active Directory Forest also has “Domain Resource Records” in DNS, which are required to locate a domain controller. It seems the additional domain controllers are having some issues with “Domain Resource Records” which you need to fix. When “Domain Resource Records” in Active Directory integrated DNS zone become corrupt, even the domain controller machine itself will be unable to find the Domain Controller for the AD Domain. Please check for any warning or error notifications in the event logs on Additional Domain Controllers, especially the netlogon service events.

To fix those issues you may use the following utilities of Windows Support Tools:

Dcdiag

netdiag

portqry

nltest

ISE AD failover

ryan.lambert — Fri, 04 Oct 2013 20:07:27 GMT

Hi all,

What's the verdict on this one?

I had an issue similar this morning on 1.2 with a failed DC and clients failing authentication to the ISE node bound to it, but not my other one that was bound to a different controller.

Bumping this thread...can

CSCO10662744_2 — Thu, 28 Jul 2016 19:51:05 GMT

Bumping this thread...can someone please clarify how ISE handles the availability of the domain controllers in a windows domain?

Server admins need to perform patches/maintenance/decommission of their AD servers, so it would be very beneficial to know exactly how ISE would behave in these cases.