https://community.cisco.com/t5/network-access-control/ad-operational-not-operational/m-p/3700960#M507811 <P>Hi experts,</P> <P>&nbsp;</P> <P>Does ISE automatically leave from Active Directory domain and re-join during reboot if it is already joined?</P> <P>Does ISE periodically communicate with Active Directory DC after it joined to a domain?</P> <P>&nbsp;</P> <P>I read "Active Directory Integration with Cisco ISE 2.x" below but it only describe behavior on application reset or configuration restore.</P> <P>&nbsp;</P> <P>'When you reset the Cisco ISE application configuration from the command-line interface or restore configuration after a backup or upgrade, it performs a leave operation, disconnecting the Cisco ISE node from the Active Directory domain, if it is already joined.'</P> <P>&nbsp;</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/ise_active_directory_integration/b_ISE_AD_integration_2x.html#ID612" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/ise_active_directory_integration/b_ISE_AD_integration_2x.html#ID612</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>[Background]</P> <P>My customer says they sometimes see "Not Operational" when checking AD integration status in [Administrator]-&gt;[External Identity Source]-&gt;AD domain after ISE reboot.</P> <P>They say there seems no impact to user authentication during "Not Operational", but asking why ISE changes its status.</P> Wed, 05 Sep 2018 06:41:40 GMT mick5kull 2018-09-05T06:41:40Z https://community.cisco.com/t5/network-access-control/ad-operational-not-operational/m-p/3700960#M507811 <P>Hi experts,</P> <P>&nbsp;</P> <P>Does ISE automatically leave from Active Directory domain and re-join during reboot if it is already joined?</P> <P>Does ISE periodically communicate with Active Directory DC after it joined to a domain?</P> <P>&nbsp;</P> <P>I read "Active Directory Integration with Cisco ISE 2.x" below but it only describe behavior on application reset or configuration restore.</P> <P>&nbsp;</P> <P>'When you reset the Cisco ISE application configuration from the command-line interface or restore configuration after a backup or upgrade, it performs a leave operation, disconnecting the Cisco ISE node from the Active Directory domain, if it is already joined.'</P> <P>&nbsp;</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/ise_active_directory_integration/b_ISE_AD_integration_2x.html#ID612" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/ise_active_directory_integration/b_ISE_AD_integration_2x.html#ID612</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>[Background]</P> <P>My customer says they sometimes see "Not Operational" when checking AD integration status in [Administrator]-&gt;[External Identity Source]-&gt;AD domain after ISE reboot.</P> <P>They say there seems no impact to user authentication during "Not Operational", but asking why ISE changes its status.</P> Wed, 05 Sep 2018 06:41:40 GMT https://community.cisco.com/t5/network-access-control/ad-operational-not-operational/m-p/3700960#M507811 mick5kull 2018-09-05T06:41:40Z https://community.cisco.com/t5/network-access-control/ad-operational-not-operational/m-p/3701331#M507812 <P>If this is the behavior seen by your customer in production network, it is best handled by TAC. Please request your customer to open a TAC service request.</P> <P>&nbsp;</P> <P>- Krish</P> <P>&nbsp;</P> Wed, 05 Sep 2018 16:03:20 GMT https://community.cisco.com/t5/network-access-control/ad-operational-not-operational/m-p/3701331#M507812 kvenkata1 2018-09-05T16:03:20Z https://community.cisco.com/t5/network-access-control/ad-operational-not-operational/m-p/3701342#M507814 <P>Also part of the reason your authentications may not be affected is because by default is the authentication process fails on a PSN, the PSN will drop the request and allow the NAD to fail over to the another PSN.</P> <P>&nbsp;</P> <P>As Krish said you definitely want to get a TAC case going.</P> Wed, 05 Sep 2018 16:11:29 GMT https://community.cisco.com/t5/network-access-control/ad-operational-not-operational/m-p/3701342#M507814 paul 2018-09-05T16:11:29Z https://community.cisco.com/t5/network-access-control/ad-operational-not-operational/m-p/3701678#M507816 <P>Thanks for your comment.</P> <P>&nbsp;</P> <P>I understand "Not Operational" status after ISE reboot is not expected behavior and need TAC assistance.</P> <P>&nbsp;</P> <P>Do you have any comments on below queries?</P> <P>&nbsp;</P> <P>&gt; Does ISE automatically leave from Active Directory domain and re-join during reboot if it is already joined?<BR />&gt; Does ISE periodically communicate with Active Directory DC after it joined to a domain?</P> <P>&nbsp;</P> <P>If yes, I think customer and I should check network accessibility between ISE and AD controller more before open a SR on ISE.</P> Thu, 06 Sep 2018 01:23:09 GMT https://community.cisco.com/t5/network-access-control/ad-operational-not-operational/m-p/3701678#M507816 mick5kull 2018-09-06T01:23:09Z