https://community.cisco.com/t5/network-access-control/ise-2-7-ad-join-remove-2008-dc/m-p/4511244#M571346 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/388087">@Greg Gibbs</a>&nbsp;and&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/291804">@Mark Elsen</a>&nbsp;Thanks for your suggestions. We don't have Default-First-Site and all DC's show under there relative site names. I however looked into SRV records and all our DC's for this site were set to default priority and weight. I lowered the priority of 2008 server and now I see ldap and kerberos going to our preferred DC's. I then blocked all traffic to our DC's and everything still works. yay..</P> Wed, 01 Dec 2021 15:12:39 GMT rajitoor55 2021-12-01T15:12:39Z https://community.cisco.com/t5/network-access-control/ise-2-7-ad-join-remove-2008-dc/m-p/4510091#M571291 <P>We have AD joined ISE servers and 3 Doman Controllers. One of them is an old 2008 which we are trying to get rid of.</P><P>As soon as I block the traffic on the intermediate firewall, all authentications start failing. All traffic is confirmed allowed to new 2016 DC's.&nbsp;Why ISE is not moving to the new DC's and what can I do to make it work with new DC's.</P> Mon, 29 Nov 2021 16:33:37 GMT https://community.cisco.com/t5/network-access-control/ise-2-7-ad-join-remove-2008-dc/m-p/4510091#M571291 rajitoor55 2021-11-29T16:33:37Z https://community.cisco.com/t5/network-access-control/ise-2-7-ad-join-remove-2008-dc/m-p/4510096#M571292 <P>&nbsp;</P> <P>&nbsp;- Not sure how traffic blocking is experienced by ISE when trying to connect to the&nbsp; old-DC , perhaps turn it off and keep it reachable. Sometimes there is a subtle difference between lost . unreachable or rejected connections. ? FYI :&nbsp;<A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/ise_active_directory_integration/b_ISE_AD_integration_2x.html#reference_42F562CACEA745348AE47B601A29E151" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/ise_active_directory_integration/b_ISE_AD_integration_2x.html#reference_42F562CACEA745348AE47B601A29E151</A>&nbsp;but it does not immediately clear-up the subject.</P> <P>&nbsp;M.</P> Mon, 29 Nov 2021 16:44:04 GMT https://community.cisco.com/t5/network-access-control/ise-2-7-ad-join-remove-2008-dc/m-p/4510096#M571292 Mark Elsen 2021-11-29T16:44:04Z https://community.cisco.com/t5/network-access-control/ise-2-7-ad-join-remove-2008-dc/m-p/4510245#M571296 <P>The Primary DC that the ISE nodes communicate with is controlled by the configuration in AD Sites and Services. If the Site showing in the ISE AD section says 'Default-First-Site' then you have not configured Sites correctly. You should have a Site that represents the physical/logical location(s) of the ISE nodes. The closet Domain Controller should be associated with that Site as should the IP address or subnet for the respective ISE nodes. After updating Sites, ISE will automatically begin communication with the relevant (non-2008) DC.</P> Mon, 29 Nov 2021 23:23:22 GMT https://community.cisco.com/t5/network-access-control/ise-2-7-ad-join-remove-2008-dc/m-p/4510245#M571296 Greg Gibbs 2021-11-29T23:23:22Z https://community.cisco.com/t5/network-access-control/ise-2-7-ad-join-remove-2008-dc/m-p/4511244#M571346 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/388087">@Greg Gibbs</a>&nbsp;and&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/291804">@Mark Elsen</a>&nbsp;Thanks for your suggestions. We don't have Default-First-Site and all DC's show under there relative site names. I however looked into SRV records and all our DC's for this site were set to default priority and weight. I lowered the priority of 2008 server and now I see ldap and kerberos going to our preferred DC's. I then blocked all traffic to our DC's and everything still works. yay..</P> Wed, 01 Dec 2021 15:12:39 GMT https://community.cisco.com/t5/network-access-control/ise-2-7-ad-join-remove-2008-dc/m-p/4511244#M571346 rajitoor55 2021-12-01T15:12:39Z