https://community.cisco.com/t5/network-access-control/passiveid-add-domain-controller-missing-dc/m-p/3711281#M507471 <P>checked with our AD admin, our DNS only resolve some of DC based on domain</P> <P>but ISE seems not to use API or similar cmd like" nltest /dclist:xxx.com" to resolve the DCs.</P> <P>&nbsp;</P> <P>if this is the case, PassiveID wont work for lots cases especially when large amount DCs in the enterprise.</P> <P>No one will display 100 DCs based on domain name ....</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 21 Sep 2018 17:44:19 GMT csco11552159 2018-09-21T17:44:19Z https://community.cisco.com/t5/network-access-control/passiveid-add-domain-controller-missing-dc/m-p/3710704#M507466 <P>Recently we are trying to add new DCs into PassiveID list to use WMI monitoring.</P> <P>The problems how ISE find the DCs, in our Dev environment, we found some DCs are missing from the list. and we have no way to add them.</P> <P>&nbsp;</P> <P>when use :</P> <P>nltest /dclist:dev&nbsp;&nbsp;</P> <P>We will see 4 DCs.</P> <P>But from PassiveID "Add Domain Controllers" list, cannot find all of them.</P> <P>Then we test our production DCs, we have same issues, some "site" DCs are totally missing.</P> <P>Is some kind reasons about DC"Site" ?&nbsp;</P> <P>How does ISE find all DCs&nbsp;available&nbsp; to add?&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 20 Sep 2018 19:28:07 GMT https://community.cisco.com/t5/network-access-control/passiveid-add-domain-controller-missing-dc/m-p/3710704#M507466 csco11552159 2018-09-20T19:28:07Z https://community.cisco.com/t5/network-access-control/passiveid-add-domain-controller-missing-dc/m-p/3710749#M507467 <P>Hi,</P> <P>&nbsp;</P> <P>It sounds like a configuration issue with AD. ISE gets the list of domain controllers when it joins the domain. There is no way to manually add DCs in ISE today.&nbsp;</P> <P>&nbsp;</P> <P>Regards,</P> <P>Tim</P> Thu, 20 Sep 2018 20:30:11 GMT https://community.cisco.com/t5/network-access-control/passiveid-add-domain-controller-missing-dc/m-p/3710749#M507467 Timothy Abbott 2018-09-20T20:30:11Z https://community.cisco.com/t5/network-access-control/passiveid-add-domain-controller-missing-dc/m-p/3710785#M507468 <P>we saw the same result for other domains. it seems site impacted PassiveID DCs....</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 20 Sep 2018 21:36:07 GMT https://community.cisco.com/t5/network-access-control/passiveid-add-domain-controller-missing-dc/m-p/3710785#M507468 csco11552159 2018-09-20T21:36:07Z https://community.cisco.com/t5/network-access-control/passiveid-add-domain-controller-missing-dc/m-p/3710851#M507469 I would suspect some issue with AD sites and services and misconfiguration of AD infrastructure since ISE cannot see them. I would open a TAC case to start and work with Microsoft as well to see where the problem lies<BR /> Fri, 21 Sep 2018 02:01:45 GMT https://community.cisco.com/t5/network-access-control/passiveid-add-domain-controller-missing-dc/m-p/3710851#M507469 Jason Kunst 2018-09-21T02:01:45Z https://community.cisco.com/t5/network-access-control/passiveid-add-domain-controller-missing-dc/m-p/3710900#M507470 <P>Opened a ticket with TAC wait for some updates.&nbsp;</P> <P>&nbsp;</P> <P>Psn with passive ID enabled only see the "site" DC which are auto associated with.</P> <P>&nbsp;</P> <P>Passive wmi should see everything ..&nbsp;</P> Fri, 21 Sep 2018 04:20:29 GMT https://community.cisco.com/t5/network-access-control/passiveid-add-domain-controller-missing-dc/m-p/3710900#M507470 csco11552159 2018-09-21T04:20:29Z https://community.cisco.com/t5/network-access-control/passiveid-add-domain-controller-missing-dc/m-p/3711281#M507471 <P>checked with our AD admin, our DNS only resolve some of DC based on domain</P> <P>but ISE seems not to use API or similar cmd like" nltest /dclist:xxx.com" to resolve the DCs.</P> <P>&nbsp;</P> <P>if this is the case, PassiveID wont work for lots cases especially when large amount DCs in the enterprise.</P> <P>No one will display 100 DCs based on domain name ....</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 21 Sep 2018 17:44:19 GMT https://community.cisco.com/t5/network-access-control/passiveid-add-domain-controller-missing-dc/m-p/3711281#M507471 csco11552159 2018-09-21T17:44:19Z https://community.cisco.com/t5/network-access-control/passiveid-add-domain-controller-missing-dc/m-p/3711309#M507472 <P>I would think that ISE needs all domains in DNS to be able to resolve and work with them.&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/26660">@Timothy Abbott</a>&nbsp;is our SME will await for him to confirm. Right now it sounds like as before will need to tune AD to work with ISE.&nbsp;</P> Fri, 21 Sep 2018 18:42:44 GMT https://community.cisco.com/t5/network-access-control/passiveid-add-domain-controller-missing-dc/m-p/3711309#M507472 Jason Kunst 2018-09-21T18:42:44Z https://community.cisco.com/t5/network-access-control/passiveid-add-domain-controller-missing-dc/m-p/3712398#M507473 <P>what if we deploy PSN to each "Site", witll ISE use site based DNS resolution to find all DC?&nbsp;</P> <P>we do have all site based DNS resolution. If ISE is using this way, it should be able to see all DC at the "site".</P> Mon, 24 Sep 2018 19:27:50 GMT https://community.cisco.com/t5/network-access-control/passiveid-add-domain-controller-missing-dc/m-p/3712398#M507473 csco11552159 2018-09-24T19:27:50Z