https://community.cisco.com/t5/network-access-control/joining-cisco-ise-node-with-rodc-active-directory-issue/m-p/4513218#M571449 <P><A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_01101.html#reference_F19556CAD5C949B58DF89334E2C6255D" target="_blank" rel="noopener">Active Directory Account Permissions Required to Perform Various Operations</A></P> <H4 id="ariaid-title32" class="title topictitle4">Active Directory Account Permissions Required to Perform Various Operations</H4> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="50%"><STRONG>Join Operations</STRONG></TD> <TD width="50%"><STRONG>Cisco Machine Accounts</STRONG></TD> </TR> <TR> <TD width="50%"> <P class="p">The join operation requires the following account permissions:</P> <UL id="reference_F19556CAD5C949B58DF89334E2C6255D__ul_qx3_w4c_qx" class="ul"> <LI id="reference_F19556CAD5C949B58DF89334E2C6255D__li_BCA59CE71A574D179E905F51D628E21C" class="li"> <P class="p">Search Active Directory (to see if a Cisco machine account exists)</P> </LI> <LI id="reference_F19556CAD5C949B58DF89334E2C6255D__li_994D03F3E0FE4B1FA75D5E4E361504FF" class="li"> <P class="p">Create Cisco machine account to domain (if the machine account does not already exist)</P> </LI> <LI id="reference_F19556CAD5C949B58DF89334E2C6255D__li_ED1668CBC5BC4F839E56DACE2B0E42F7" class="li"> <P class="p">Set attributes on the new machine account (for example, Cisco machine account password, SPN, dnsHostname)</P> </LI> </UL> </TD> <TD width="50%"> <P class="p">The machine account that communicates to the Active Directory connection requires the following permissions:</P> <UL id="reference_F19556CAD5C949B58DF89334E2C6255D__ul_sx3_w4c_qx" class="ul"> <LI id="reference_F19556CAD5C949B58DF89334E2C6255D__li_6B619A3339B2426AA28C6A7B242B20B4" class="li"> <P class="p">Change password</P> </LI> <LI id="reference_F19556CAD5C949B58DF89334E2C6255D__li_C9B2B4D3ADA040A9BA1ADC117BC3A767" class="li"> <P class="p">Read the user and machine objects corresponding to users and machines that are</P> </LI> <LI id="reference_F19556CAD5C949B58DF89334E2C6255D__li_F05564FE3CE341E8BA1888CB2BDFEA1C" class="li"> <P class="p">Query Active Directory to get information (for example, trusted domains, alternative UPN suffixes, and so on)</P> </LI> <LI id="reference_F19556CAD5C949B58DF89334E2C6255D__li_D797B560586242B0A74B6B8A041D8B9F" class="li"> <P class="p">Read the tokenGroups attribute</P> </LI> </UL> <P class="p">You can precreate the machine account in Active Directory. If the SAM name matches the Cisco appliance hostname, it is located during the join operation and re-used.</P> <P class="p">If there are multiple join operations, multiple machine accounts are maintained inside Cisco , one for each join.</P> </TD> </TR> </TBODY> </TABLE> <SECTION class="body refbody"> <SECTION id="reference_F19556CAD5C949B58DF89334E2C6255D__section_C9AEF96CC3EB4FE29575DEAE0FA74540" class="section"> <DIV class="tableContainer"> <P>&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> </DIV> </SECTION> </SECTION> Sat, 04 Dec 2021 22:54:11 GMT thomas 2021-12-04T22:54:11Z https://community.cisco.com/t5/network-access-control/joining-cisco-ise-node-with-rodc-active-directory-issue/m-p/3067910#M23726 <P>Hello guys,</P> <P></P> <P>I am trying to join my CIsco ISE Nodes to RODC Active Directory and there's an issue when joining.&nbsp;</P> <P></P> <P>Are there any limitations when joining Cisco ISE to RODC Active Directory?</P> <P>Does Cisco ISE needs to join to RWDC Active Directory not RODC?</P> <P></P> <P>*Attached is the log produced when trying to join domain.</P> <P>Ps: Customer didnt permit any communication directly to RWDC.</P> <P></P> <P>Hope to hear your response.</P> Mon, 11 Mar 2019 07:30:19 GMT https://community.cisco.com/t5/network-access-control/joining-cisco-ise-node-with-rodc-active-directory-issue/m-p/3067910#M23726 Andryan Viryadi Tanamir 2019-03-11T07:30:19Z https://community.cisco.com/t5/network-access-control/joining-cisco-ise-node-with-rodc-active-directory-issue/m-p/4499785#M570943 <P>Hello,</P><P>Did you able to solve this issue, i have to implement ISE PSN node with RODC, will it work?</P> Tue, 09 Nov 2021 00:40:25 GMT https://community.cisco.com/t5/network-access-control/joining-cisco-ise-node-with-rodc-active-directory-issue/m-p/4499785#M570943 shah.vinit 2021-11-09T00:40:25Z https://community.cisco.com/t5/network-access-control/joining-cisco-ise-node-with-rodc-active-directory-issue/m-p/4513218#M571449 <P><A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_01101.html#reference_F19556CAD5C949B58DF89334E2C6255D" target="_blank" rel="noopener">Active Directory Account Permissions Required to Perform Various Operations</A></P> <H4 id="ariaid-title32" class="title topictitle4">Active Directory Account Permissions Required to Perform Various Operations</H4> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="50%"><STRONG>Join Operations</STRONG></TD> <TD width="50%"><STRONG>Cisco Machine Accounts</STRONG></TD> </TR> <TR> <TD width="50%"> <P class="p">The join operation requires the following account permissions:</P> <UL id="reference_F19556CAD5C949B58DF89334E2C6255D__ul_qx3_w4c_qx" class="ul"> <LI id="reference_F19556CAD5C949B58DF89334E2C6255D__li_BCA59CE71A574D179E905F51D628E21C" class="li"> <P class="p">Search Active Directory (to see if a Cisco machine account exists)</P> </LI> <LI id="reference_F19556CAD5C949B58DF89334E2C6255D__li_994D03F3E0FE4B1FA75D5E4E361504FF" class="li"> <P class="p">Create Cisco machine account to domain (if the machine account does not already exist)</P> </LI> <LI id="reference_F19556CAD5C949B58DF89334E2C6255D__li_ED1668CBC5BC4F839E56DACE2B0E42F7" class="li"> <P class="p">Set attributes on the new machine account (for example, Cisco machine account password, SPN, dnsHostname)</P> </LI> </UL> </TD> <TD width="50%"> <P class="p">The machine account that communicates to the Active Directory connection requires the following permissions:</P> <UL id="reference_F19556CAD5C949B58DF89334E2C6255D__ul_sx3_w4c_qx" class="ul"> <LI id="reference_F19556CAD5C949B58DF89334E2C6255D__li_6B619A3339B2426AA28C6A7B242B20B4" class="li"> <P class="p">Change password</P> </LI> <LI id="reference_F19556CAD5C949B58DF89334E2C6255D__li_C9B2B4D3ADA040A9BA1ADC117BC3A767" class="li"> <P class="p">Read the user and machine objects corresponding to users and machines that are</P> </LI> <LI id="reference_F19556CAD5C949B58DF89334E2C6255D__li_F05564FE3CE341E8BA1888CB2BDFEA1C" class="li"> <P class="p">Query Active Directory to get information (for example, trusted domains, alternative UPN suffixes, and so on)</P> </LI> <LI id="reference_F19556CAD5C949B58DF89334E2C6255D__li_D797B560586242B0A74B6B8A041D8B9F" class="li"> <P class="p">Read the tokenGroups attribute</P> </LI> </UL> <P class="p">You can precreate the machine account in Active Directory. If the SAM name matches the Cisco appliance hostname, it is located during the join operation and re-used.</P> <P class="p">If there are multiple join operations, multiple machine accounts are maintained inside Cisco , one for each join.</P> </TD> </TR> </TBODY> </TABLE> <SECTION class="body refbody"> <SECTION id="reference_F19556CAD5C949B58DF89334E2C6255D__section_C9AEF96CC3EB4FE29575DEAE0FA74540" class="section"> <DIV class="tableContainer"> <P>&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> </DIV> </SECTION> </SECTION> Sat, 04 Dec 2021 22:54:11 GMT https://community.cisco.com/t5/network-access-control/joining-cisco-ise-node-with-rodc-active-directory-issue/m-p/4513218#M571449 thomas 2021-12-04T22:54:11Z