topic Re: Hi, in Network Access Control

ISE integration with AD fails

Muhannad Abu Shamma — Mon, 11 Mar 2019 06:54:24 GMT

Dears,

I am trying to join the ISE with our AD with no success, below the error logged in the ISE:

Error Description: Failed to find domain controller, please check network connectivity

Support Details...

Error Name: LW_ERROR_FAILED_FIND_DC

Error Code: 40049

Detailed Log:

Error Description :

Failed to find domain controller in domain 10.10.10.10 : domain does not exists in DNS

Error Resolution :

Please make sure that your DNS contains records for domain : 10.10.10.10, For further information please refer to the AD DNS diagnostic tools

Join steps :

13:51:40 Joining to domain 10.10.10.10 using user ise

13:51:40 Searching for DC in domain 10.10.10.10

13:51:40 Failed to find domain controller in domain 10.10.10.10 : domain does not exists in DNS

Although we are having valid records for both AD and ISE in the DNS, i am able to resolve the DNS of our AD when making NSlookup in the ISE.

I am not sure what is the issue?

Looking forward to hearing from you.

Regards,

Muhannad

Hi

Francesco Molino — Mon, 04 Jul 2016 03:31:48 GMT

First of all, does your dns can answer srv request by sending AD IP address? Do you set the ntp on AD and ISE?

Which version of ISE are you using? Have you applied the latest patches?

When all these steps have been soon, did you took some traces on ISE?

On ISE to check your dns server you can run the command below :

nslookup _ldap._tcp.dc._msdcs.AD.DOMAIN querytype srv

Replace AD.DOMAIN by your real AD domain name and paste your result.

After getting those informations, if not working yet, you need to do some traces on ISE. If you don't know how, let me know I will try to do some screenshot on my lab to give you a guidance.

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue

Dears,

Muhannad Abu Shamma — Wed, 13 Jul 2016 23:48:53 GMT

Dears,

The issue was in the Domain name when we configure the External identity, once it has been fixed the integration worked fine.

Regards,
Muhannad

Nice to hear that.

Francesco Molino — Wed, 13 Jul 2016 23:53:43 GMT

Nice to hear that.

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue

Hi

bougamramohamed89 — Wed, 22 Mar 2017 14:27:41 GMT

I have the same problem :

"Error Description: Failed to find domain controller, please check network connectivity

Support Details...
Error Name: LW_ERROR_FAILED_FIND_DC
Error Code: 40049

Detailed Log:

Error Description :
Failed to find domain controller in domain PFE.LOCAL : domain does not exists in DNS

Error Resolution :
Please make sure that your DNS contains records for domain : PFE.LOCAL, For further information please refer to the AD DNS diagnostic tools

Join steps :
14:26:46 Joining to domain PFE.LOCAL using user bougamra
14:26:46 Searching for DC in domain PFE.LOCAL
14:26:46 Failed to find domain controller in domain PFE.LOCAL : domain does not exists in DNS "

Can you help me please ?

Hi

bougamramohamed89 — Fri, 07 Apr 2017 12:18:54 GMT

i have the same problem can you help me please

Status: Join Operation Failed: Failed to find domain controller, please check network connectivity

Hi,

Francesco Molino — Fri, 07 Apr 2017 13:52:59 GMT

Hi,

First of all, could you check your ntp configuration. AD and ISE must have the same clock to be able to be joined to your AD infrastructure.

On ISE cli, could you run this nslookup command and paste the output on a txt file:

nslookup _ldap._tcp.dc._msdcs.DOMAIN.SUFFIXE querytype srv

--> Example: nslookup _ldap._tcp.dc._msdcs.MYCOMPANY.COM querytype srv

Please check out on that link (http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ise_active_directory_integration/b_ISE_AD_integration_20.html#reference_8DC463597A644A5C9CF5D582B77BB24F). All AD and DNS requirements must be setup.

If it's not working, please activate some debugs and attach the log file to this post:

1. Activate traces for Active directory component:

2. Try to join your ISE to your AD.

3. Take the logs of the debug traces:

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue

Hi thanks for the answer

bougamramohamed89 — Mon, 10 Apr 2017 07:49:03 GMT

Hi thanks for the answer

but i did not find how to "Activate traces for Active directory component:" !!

sorry

how can i do that please ?

thanks

Hi

Francesco Molino — Mon, 10 Apr 2017 12:00:36 GMT

Did you go into this menu: Administration > System > Logging > Debug Log Configuration

Thanks

Hi

bougamramohamed89 — Mon, 24 Apr 2017 14:46:29 GMT

the domain name was not correct

well now i wanna know how to assign unknown mac address to a vlan ?

thx

Hi Francesco,

ffenina01 — Wed, 17 May 2017 12:31:37 GMT

Hi Francesco,

Thanks you've already been helpful.

I am facing the same problem, the AD and ISE have the same Clock along with a NTP server.

Please find below :

- the operation detail

- the result of the command

- The ad_agent.log file

PS: I changed the real domain by MY.DOMAIN 😛

### the operation detail ###

Error Description :
Failed To Find Domain Controller In Domain MY.DOMAIN : Domain Does Not Exists In DNS

Error Resolution :
Please Make Sure That Your DNS Contains Records For Domain : MY.DOMAIN, For Further Information Please Refer To The AD DNS Diagnostic Tools

Join Steps :
12:55:20 Joining To Domain MY.DOMAIN Using User Administrator
12:55:20 Searching For DC In Domain MY.DOMAIN
12:55:20 Failed To Find Domain Controller In Domain MY.DOMAIN : Domain Does Not Exists In DNS

### Result of nslookup _ldap._tcp.dc._msdcs.MY.DOMAIN querytype srv ###

Trying "_ldap._tcp.dc._msdcs.MY.DOMAIN"
Received 102 bytes from 172.20.127.1#53 in 0 ms
Trying "_ldap._tcp.dc._msdcs.MY.DOMAIN.MY.DOMAIN"
Host _ldap._tcp.dc._msdcs.MY.DOMAIN not found: 3(NXDOMAIN)
Received 109 bytes from 172.20.127.1#53 in 0 ms

Thank you very much!

Hi

Francesco Molino — Thu, 18 May 2017 03:25:07 GMT

Is there ISE on the same network add your AD server or is there an ACL or firewall in between?

If not on the same network, have you opened dns port? (UDP 53)

Have you configured the right dns server?

Can you do the following command from your windows machine (not from the AD)?

First be sure that your machine has same dns server add your ISE.

From a command line, type nslookup, then type set type=all, and finally type_ldap._tcp.dc._msdcs.YOURDOMAIN

Could you please paste the output of the result?

Thanks

PS: please don't forget to rate and mark as correct answer if this answered your question

Hi again,

ffenina01 — Thu, 18 May 2017 12:04:14 GMT

Hi again,

The ISE and the AD are on the same network, and yes everything is correctly configured I checked more than once every detail.

It turned out to be a problem within the AD, we are working in a new environment with a brand new AD, so the sys admin recreated a new one and then everything went great and it instantly joined the ISE and I retrieved the groups, so "smooth" 😛

I still haven't figured out the origine of the problem, however everything is working.

I really appreciate your help thanks 😉

Ok well done! You're welcome

Francesco Molino — Thu, 18 May 2017 12:06:47 GMT

Ok well done!

You're welcome

Hi Francesco,

Hemalatha Kumarasamy — Tue, 23 May 2017 01:13:00 GMT

Hi Francesco,

I'm facing the same problem.

And here is the output from the windows machine

C:\Users\Administrator>nslookup
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa
primary name server = 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0
0.0.0.0.0.0.0.ip6.arpa
responsible mail addr = (root)
serial = 0
refresh = 28800 (8 hours)
retry = 7200 (2 hours)
expire = 604800 (7 days)
default TTL = 86400 (1 day)
Default Server: UnKnown
Address: ::1

> set type=all
> type_ldap._tcp.dc._msdcs.ualab.com
Server: UnKnown
Address: ::1

*** UnKnown can't find type_ldap._tcp.dc._msdcs.ualab.com: Non-existent domain

Could you please help on this issue.

Hi

Francesco Molino — Tue, 23 May 2017 11:56:21 GMT

You need to recreate all servers records in AD.

Here are 2 sites I used when I faced the same issue. Sorry I'm not an AD expert but this worked for me:

http://www.windowsnetworking.com/kbase/WindowsTips/WindowsServer2008/AdminTips/ActiveDirectory/AQuickTipToFixDCSRVsinActiveDirectoryDomain.html

https://blogs.msdn.microsoft.com/servergeeks/2014/07/12/dns-records-that-are-required-for-proper-functionality-of-active-directory/

Thanks

PS: please don't forget to rate and mark as correct answer if this answered your question

Hi Franceso,

Hemalatha Kumarasamy — Tue, 23 May 2017 16:23:52 GMT

Hi Franceso,

Thank you so much for the prompt reply.

I looked into the below link,

http://www.windowsnetworking.com/kbase/WindowsTips/WindowsServer2008/AdminTips/ActiveDirectory/AQuickTipToFixDCSRVsinActiveDirectoryDomain.html

Could you please help me how to do this first step:

Import SRV records from C:\SystemRoot\Config\NetLogon.dns file.

Highly appreciate the help.

Thanks,

Hema

Hi

Francesco Molino — Thu, 25 May 2017 20:31:32 GMT

This file is used when you're using a third party dns server.

You need to focus on creating all entry by yourself or doing a netdiag fix command if I remember.

I'm sorry to not being able to help you more but in that case I'll follow Microsoft technote.

Thanks

Re: Hi

qhu — Thu, 07 Dec 2017 03:31:31 GMT

Re: ISE integration with AD fails

araviku2 — Wed, 21 Nov 2018 10:00:17 GMT

I know this is an old thread,but still replying so that anyone facing this problem can be helped.

This problem arises when the windows server fails to create SRV records for the domain controller.

I faced this problem too and the issue got resolved after i re-installed AD services on the windows server without installing the DNS server which lead to an automatic creation of the DNS server along with the required records.