topic Re: Adding domain controler to AD domain and ISE behaviour in Network Access Control

Adding domain controler to AD domain and ISE behaviour

REJR77 — Thu, 23 Mar 2023 11:09:26 GMT

Hi,

We already have an ISE deployment connected to an AD domain with 2 DC

We are going to add new Domain Controller to the Domain (and remove the old ones later) and would like to know if we need to change things on ISE or if it is transparent since ISE are already joined

REgards

Re: Adding domain controler to AD domain and ISE behaviour

Rodrigo Diaz — Thu, 23 Mar 2023 14:38:27 GMT

Hi @REJR77 , as you are going to remove the 2DC from where ISE has created a join, you will have to remove them from the ISE itself as the ISE will continue attempting to query those although they are not longer there ( ISE will not be aware of the changes done within the 2 DC) , once you remove them you will have to add the new DC that you are going to implement as replacement , to review more about the ISE-AD operations you can refer to https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/ise_active_directory_integration/b_ISE_AD_integration_2x.html

Let me know if that helped you .

Re: Adding domain controler to AD domain and ISE behaviour

REJR77 — Thu, 23 Mar 2023 15:23:38 GMT

Hi @Rodrigo Diaz

From what I understand ISE detects domain controllers with DNS requests. Therefore we can not specify on which DC it will connect to join. Am I wrong?

The use case I am referring to is not clearly detailed in the documentation.HHow can we ask ISE to connect to the new servers since everything looks "automatic" ?

Thanks for clarification

Re: Adding domain controler to AD domain and ISE behaviour

Christopher Bell — Thu, 23 Mar 2023 17:48:20 GMT

Add the new DC then reboot each of the two older DCs one at a time until ISE picks up the new one. I'm pretty sure it will find it but I would test before you decom the old ones. You can see what DC ISE is attached to Administration --> External Identity Sources --> Active Directory --> and then click your deployment. There will be a "Domain Controller" column that lists the DC each node is attached to. ISE is built to join the domain like any computer or server, not to a specific domain controller so I would be surprised if you have to do anything other than making sure you are attached to new one before killing the old ones.

Re: Adding domain controler to AD domain and ISE behaviour

Greg Gibbs — Thu, 23 Mar 2023 21:50:25 GMT

Like other computers and member servers in Active Directory, ISE learns which Domain Controller it should communicate with from AD Sites and Services. You would need to ensure that the subnet used by ISE is associated with the appropriate Site and DC and ISE will automatically learn this information.