topic Re: Nodes and external AD are in different domain in Network Access Control

Nodes and external AD are in different domain

dgaikwad — Thu, 06 Oct 2022 08:06:25 GMT

Hi Experts,
Issue:
ISE nodes in deployment are in .com domain while AD integration has been done with .net domain.
Now, there is this one node that was re-imaged is no long able to join AD domain again.
The logs are throwing the following errors: 40022, 31 and while joining, error 60113.

Could anyone assist me understand why these are errors...

Re: Nodes and external AD are in different domain

Aref Alsouqi — Thu, 06 Oct 2022 08:26:39 GMT

Assuming all DNS records are still created for this node, including the reverse DNS record, did you try to remove the computer object of that node from AD and try again?

Re: Nodes and external AD are in different domain

dgaikwad — Thu, 06 Oct 2022 08:57:41 GMT

Yes, the AD object has been removed, but still the errors persists.
While I did try to do a nslookup from .net domain, was able to resolve the DNS and AD servers fine.

Re: Nodes and external AD are in different domain

Aref Alsouqi — Thu, 06 Oct 2022 09:16:46 GMT

Can you please share the screenshot of the error for review? Also, when you run these commands, do you see the resolution happening as expected:

nslookup _ldap._tcp.dc._msdcs.<your-domain-name> querytype SRV
nslookup _ldap._tcp.gc._msdcs.<your-domain-name> querytype SRV

Re: Nodes and external AD are in different domain

dgaikwad — Fri, 07 Oct 2022 07:50:11 GMT

@Aref Alsouqi
Was able to capture the following output of the commands:

<Node_with_Issue># nslookup _ldap._tcp.gc._msdcs.<ISE_node_domain> querytype SRV
Trying "_ldap._tcp.gc._msdcs.<ISE_node_domain>"
Received 119 bytes from <DNS_Server>#53 in 1 ms
Trying "_ldap._tcp.gc._msdcs.<ISE_node_domain>.<ISE_node_domain>"
Host _ldap._tcp.gc._msdcs.<ISE_node_domain> not found: 3(NXDOMAIN)
Received 133 bytes from <DNS_Server>#53 in 1 ms

<Node_with_Issue># nslookup _ldap._tcp.dc._msdcs.<ISE_node_domain> querytype SRV
Trying "_ldap._tcp.dc._msdcs.<ISE_node_domain>"
Received 119 bytes from <DNS_Server>#53 in 1 ms
Trying "_ldap._tcp.dc._msdcs.<ISE_node_domain>.<ISE_node_domain>"
Host _ldap._tcp.dc._msdcs.<ISE_node_domain> not found: 3(NXDOMAIN)
Received 133 bytes from <DNS_Server>#53 in 1 ms

<Node_with_Issue># nslookup _ldap._tcp.dc._msdcs.<AD_Domain> querytype SRV
Trying "_ldap._tcp.dc._msdcs.<AD_Domain>"
;; Truncated, retrying in TCP mode.
Trying "_ldap._tcp.dc._msdcs.<AD_Domain>"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20412
;; flags: qr rd ra; QUERY: 1, ANSWER: 49, AUTHORITY: 0, ADDITIONAL: 0

<Node_with_Issue># nslookup _ldap._tcp.gc._msdcs.<AD_Domain> querytype SRV
Trying "_ldap._tcp.gc._msdcs.<AD_Domain>"
;; Truncated, retrying in TCP mode.
Trying "_ldap._tcp.gc._msdcs.<AD_Domain>"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40003
;; flags: qr rd ra; QUERY: 1, ANSWER: 47, AUTHORITY: 0, ADDITIONAL: 0

So there is a response from the domain where the nodes are being joined and failing.
This is error reported while adding back node

Re: Nodes and external AD are in different domain

Aref Alsouqi — Fri, 07 Oct 2022 09:22:01 GMT

It looks like the DNS SRV entries are not created for this ISE node that you are trying to join, and this is why it is failing imo, or, this ISE node is not configured with the right DNS servers.