topic Re: ISE Can't join Multiple domain in Network Access Control

ISE Can't join Multiple domain

gasliu — Thu, 25 Feb 2016 13:24:47 GMT

Hi Experts,

My customer is using ISE 2.0 to serve multiple domain user for AAA process. However, I can only join one AD into ISE. Every time I try to join the second AD, it will fail.

I check the fail reason, it shows because ISE can't resolve the domain by DNS. For example, if the second domain is demo.local, it will show ISE can't find the domain controller of demo.local.

I check the SVR is correct on DNS, and when I use SSH to log in ISE console and use nslookup, the demo.local can be resolve as the right AD's address.

Do you have any experience it? Is it a bug?

The error code is LW_ERROR_FAILED_FIND_DC

Thank you for your help

Re: ISE Can't join Multiple domain

hslai — Thu, 25 Feb 2016 20:40:22 GMT

Please review the DNS server section in Prerequisites for Integrating Active Directory and Cisco ISE

Then, from ISE admin CLI, the DNS query test is illustrated as below, where the domain is “lab.local”:

ise/admin# nslookup _ldap._tcp.dc._msdcs.LAB.LOCAL querytype srv
Trying "_ldap._tcp.dc._msdcs.LAB.LOCAL"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17149
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;_ldap._tcp.dc._msdcs.LAB.LOCAL.        IN      SRV

;; ANSWER SECTION:
_ldap._tcp.dc._msdcs.LAB.LOCAL. 320 IN  SRV    0 100 389 ws2012r2.lab.local.

;; ADDITIONAL SECTION:
ws2012r2.lab.local.    3320    IN      A      10.1.99.10

Received 102 bytes from 10.1.100.10#53 in 8 ms

If the deployment is meeting the DNS server requirements and the “SRV” query looking ok, then need to debug further.

Alter the debug level of "Active Directory" to TRACE.
Perform the join step.
Download and examine the debug log "ad_agent.log"

Here is an sample error entry:

…,VERBOSE,...,DNS lookup for '_ldap._tcp.dc._msdcs.TEST1.LOCAL' failed with errno 0, h_errno = 1, error=LW_ERROR_DNS_ERROR_DOMAIN_NOT_FOUND,LWNetDnsQueryWithBuffer(),netlogon/utils/lwnet-dns.c:1935

If you need help in looking at the debug log, please share the file directly to me via box.

Re: ISE Can't join Multiple domain

gasliu — Fri, 26 Feb 2016 03:50:30 GMT

The log file has been to share to you via box.

The domain name is “icesnet.local” and AD admin user is “iseuser”

As I can see from the log, “failed to find domain controller in domain ICESNET.LOCAL”, but I can see from the DNS, the domain does exist in DNS

Best Regards,

Gaspard Liu (刘洪曦) .:|:.:|:.

CCIE Wireless

Travel Plan:

Re: ISE Can't join Multiple domain

hslai — Mon, 14 Mar 2016 17:30:55 GMT

Closing this thread, as Gaspard opened a TAC case.