https://community.cisco.com/t5/network-access-control/ip-name-servers/m-p/3586392#M537316 <HTML><HEAD></HEAD><BODY><P>There is a difference between the DNS server was misconfigured and the DNS server was down. If the server was up but misconfigured, it is very likely the secondary server would not be used.</P><P></P><P>George</P></BODY></HTML> Tue, 18 Oct 2016 22:40:59 GMT gbekmezi-DD 2016-10-18T22:40:59Z https://community.cisco.com/t5/network-access-control/ip-name-servers/m-p/3586389#M537312 <HTML><HEAD></HEAD><BODY><P>We recently had an issue where our primary ip name server's dns stopped responding. However the ISE node did not fail over to the secondary name servers and broke all users in the child domain that was no long resolving. Is there a way to help ISE fail over to secondary name servers for DNS? </P><P></P><P>We waited for our server team to address the issue and then everything started working. </P><P></P><P>Thanks!</P></BODY></HTML> Tue, 18 Oct 2016 00:13:26 GMT https://community.cisco.com/t5/network-access-control/ip-name-servers/m-p/3586389#M537312 ziggyzwy 2016-10-18T00:13:26Z https://community.cisco.com/t5/network-access-control/ip-name-servers/m-p/3586390#M537314 <HTML><HEAD></HEAD><BODY><P>ISE should have failed over if there were no DNS response. What version of ISE did you see the behavior? Also, was the primary DNS server truly down as in not responding to DNS request, or is it possible the DNS server was still responding, but without proper response?</P></BODY></HTML> Tue, 18 Oct 2016 05:12:00 GMT https://community.cisco.com/t5/network-access-control/ip-name-servers/m-p/3586390#M537314 howon 2016-10-18T05:12:00Z https://community.cisco.com/t5/network-access-control/ip-name-servers/m-p/3586391#M537315 <HTML><HEAD></HEAD><BODY><P>According to our Systems guys the dns zone file was not set up correctly on the primary dns name server for the node.</P><P></P><P>I was able to traceroute from the node to the domain controller and ping the domain controller but the dns was failing for the child.domain.com.</P><P></P><P>This was the message that I received from the primary name server</P><P></P><P>DNS request timed out.</P><P>&nbsp;&nbsp;&nbsp; timeout was 2 seconds.</P><P>DNS request timed out.</P><P>&nbsp;&nbsp;&nbsp; timeout was 2 seconds.</P><P></P><P>The secondary and tertiary dns name servers were set up correctly and provided the correct ip address for the child.domain.com.</P><P></P><P>In the <SPAN style="color: #0088c2; font-family: Tahoma; font-size: 11px; font-weight: bold;">Active Directory Diagnostic Tool</SPAN> it was unable to locate the domain controller for the child domain in question and all tests failed. Once our system team updated the primary dns server for the node everything started working again.</P><P></P><P>Very weird behavior indeed.</P><P></P><P>ISE 2.0.306 patch 3</P></BODY></HTML> Tue, 18 Oct 2016 16:56:14 GMT https://community.cisco.com/t5/network-access-control/ip-name-servers/m-p/3586391#M537315 ziggyzwy 2016-10-18T16:56:14Z https://community.cisco.com/t5/network-access-control/ip-name-servers/m-p/3586392#M537316 <HTML><HEAD></HEAD><BODY><P>There is a difference between the DNS server was misconfigured and the DNS server was down. If the server was up but misconfigured, it is very likely the secondary server would not be used.</P><P></P><P>George</P></BODY></HTML> Tue, 18 Oct 2016 22:40:59 GMT https://community.cisco.com/t5/network-access-control/ip-name-servers/m-p/3586392#M537316 gbekmezi-DD 2016-10-18T22:40:59Z https://community.cisco.com/t5/network-access-control/ip-name-servers/m-p/3586393#M537317 <HTML><HEAD></HEAD><BODY><P>Hi Chris</P><P></P><P>The OS DNS resolver needs to see 'no response' before it will decide to fail over to your secondary.&nbsp; So if you get a response from the primary, but some records are incorrect/missing, it's not smart enough to know it should fail over to the secondary.</P><P></P><P>Chris</P></BODY></HTML> Mon, 24 Oct 2016 16:47:08 GMT https://community.cisco.com/t5/network-access-control/ip-name-servers/m-p/3586393#M537317 ChrisMurray 2016-10-24T16:47:08Z https://community.cisco.com/t5/network-access-control/ip-name-servers/m-p/3586394#M537318 <HTML><HEAD></HEAD><BODY><P>Hi Chris, </P><P></P><P>Thank you, that does make sense of how the fail-over works.</P><P></P><P>Chris</P></BODY></HTML> Mon, 24 Oct 2016 17:51:26 GMT https://community.cisco.com/t5/network-access-control/ip-name-servers/m-p/3586394#M537318 ziggyzwy 2016-10-24T17:51:26Z