https://community.cisco.com/t5/network-access-control/ise-in-aws-active-directory-diagnostic-tool-test/m-p/4516403#M571580 <P>It should be using whichever DNS servers you have configured when you provisioned it.</P> <P>You will need to SSH with your AWS private key to see the DNS server configuration with a `show run`.</P> Fri, 10 Dec 2021 03:56:28 GMT thomas 2021-12-10T03:56:28Z https://community.cisco.com/t5/network-access-control/ise-in-aws-active-directory-diagnostic-tool-test/m-p/4513898#M571478 <P>I have just added a our first AWS instance to you our ISE Deployment and when I join it to the Active Directory domain the following tests are failing/showing a warning:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Failed AD Diagnostic Tests.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/138764i58BB956A630546F1/image-size/large?v=v2&amp;px=999" role="button" title="Failed AD Diagnostic Tests.png" alt="Failed AD Diagnostic Tests.png" /></span></P><P>The same tests on the physical appliances work.</P><P>On the AWS node an nslookup for&nbsp;<SPAN>_ldap._tcp.dc._msdcs for the SRV records for domain is working.</SPAN></P><P>&nbsp;</P><P><SPAN>Any ideas?</SPAN></P> Mon, 06 Dec 2021 13:29:21 GMT https://community.cisco.com/t5/network-access-control/ise-in-aws-active-directory-diagnostic-tool-test/m-p/4513898#M571478 pinglis 2021-12-06T13:29:21Z https://community.cisco.com/t5/network-access-control/ise-in-aws-active-directory-diagnostic-tool-test/m-p/4513928#M571479 <P>The physical appliances are not in AWS.</P> <P>Security Groups?</P> <P>Network ACLs?</P> <P>VPN firewall?</P> <P>Other firewall?</P> <P>See <A href="https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/install_guide/b_ise_InstallationGuide31/b_ise_InstallationGuide31_chapter_7.html#ID-1420-00000011" target="_blank">Cisco ISE Administration Node Ports</A></P> Mon, 06 Dec 2021 14:48:48 GMT https://community.cisco.com/t5/network-access-control/ise-in-aws-active-directory-diagnostic-tool-test/m-p/4513928#M571479 thomas 2021-12-06T14:48:48Z https://community.cisco.com/t5/network-access-control/ise-in-aws-active-directory-diagnostic-tool-test/m-p/4513953#M571480 <P>There may be some firewall rules/ACLs but I am unclear which DNS server the ISE node is using for the tests As I said nslookup from node cli itself seems to be working but I know this DNS server is a layer below the application itself. Could the ISE application be picking up a different DNS server?</P> Mon, 06 Dec 2021 15:25:20 GMT https://community.cisco.com/t5/network-access-control/ise-in-aws-active-directory-diagnostic-tool-test/m-p/4513953#M571480 pinglis 2021-12-06T15:25:20Z https://community.cisco.com/t5/network-access-control/ise-in-aws-active-directory-diagnostic-tool-test/m-p/4516403#M571580 <P>It should be using whichever DNS servers you have configured when you provisioned it.</P> <P>You will need to SSH with your AWS private key to see the DNS server configuration with a `show run`.</P> Fri, 10 Dec 2021 03:56:28 GMT https://community.cisco.com/t5/network-access-control/ise-in-aws-active-directory-diagnostic-tool-test/m-p/4516403#M571580 thomas 2021-12-10T03:56:28Z https://community.cisco.com/t5/network-access-control/ise-in-aws-active-directory-diagnostic-tool-test/m-p/4516595#M571595 <P>The problem appears to be with the AWS based DNS server. Switching to on premise DNS servers resolves the issue.&nbsp;</P><P>I m getting our DNS team to check the differences.</P> Fri, 10 Dec 2021 10:05:40 GMT https://community.cisco.com/t5/network-access-control/ise-in-aws-active-directory-diagnostic-tool-test/m-p/4516595#M571595 pinglis 2021-12-10T10:05:40Z