Cannot join ISE to Acive Directory(Cannot Join with DC)

aquku — Thu, 27 Apr 2023 10:41:03 GMT

I am trying to add ISE(version 2.6) to Active Directory(WS 2019) with domain administrator credentials. The user has domain groups admin and domain user I get the response:

Error Description: Join failed, reached the maximum number of failover attempts

Support Details...
Error Name: LW_ERROR_JOIN_FAILED_REACHED_MAX_RETRIES
Error Code: 60113

Detailed Log:

Error Description :
Join to EXAMPLE.COM failed : reached maximum number of failovers

Error Resolution :
Please check for domain controllers connectivity replication problems in domain EXAMPLE.COM

Join steps :
10:48:21 Joining to domain EXAMPLE.COM using user domain_admin
10:48:21 Searching for DC in domain EXAMPLE.COM
10:48:21 Found DC: DC.example.com , client site is Default-First-Site-Name , dc site is Default-First-Site-Name
10:48:21 Checking credentials for user domain_admin
10:48:21 Getting TGT for account domain_admin@EXAMPLE.COM
10:48:21 TGT for account domain_admin@EXAMPLE.COM was retrieved successfully
10:48:21 Credentials for user domain_admin were verified
10:48:21 Searching for DC in domain EXAMPLE.COM
10:48:21 Found DC: DC.example.com , client site is Default-First-Site-Name , dc site is Default-First-Site-Name
10:16:13 Joining to domain EXAMPLE.COM using user domain_admin
10:16:13 Searching for DC in domain EXAMPLE.COM
10:16:13 Found DC: DC.example.com , client site is Default-First-Site-Name , dc site is Default-First-Site-Name
10:16:13 Checking credentials for user domain_admin
10:16:13 Getting TGT for account domain_admin@EXAMPLE.COM
10:16:13 TGT for account domain_admin@EXAMPLE.COM was retrieved successfully
10:16:13 Credentials for user domain_admin were verified
10:16:13 Searching for DC in domain EXAMPLE.COM
10:16:13 Found DC: DC.example.com , client site is Default-First-Site-Name , dc site is Default-First-Site-Name
10:16:13 Cannot Join with DC DC.example.com , searching another DC to join with
10:16:13 Searching for DC in domain EXAMPLE.COM
10:16:13 Found DC: DC.example.com , client site is Default-First-Site-Name , dc site is Default-First-Site-Name
10:16:13 Cannot Join with DC DC.example.com , searching another DC to join with
10:16:13 Searching for DC in domain EXAMPLE.COM
10:16:13 Found DC: DC2.example.com , client site is Default-First-Site-Name , dc site is Default-First-Site-Name
10:16:13 Cannot Join with DC DC2.example.com , searching another DC to join with
10:16:13 Searching for DC in domain EXAMPLE.COM
10:16:13 Found DC: DC2.example.com , client site is Default-First-Site-Name , dc site is Default-First-Site-Name
10:16:13 Cannot Join with DC DC2.example.com , searching another DC to join with
10:16:13 Searching for DC in domain EXAMPLE.COM
10:16:13 Found DC: DC.example.com , client site is Default-First-Site-Name , dc site is Default-First-Site-Name
10:16:13 Cannot Join with DC DC.example.com , searching another DC to join with
10:16:13 Searching for DC in domain EXAMPLE.COM
10:16:13 Found DC: DC.example.com , client site is Default-First-Site-Name , dc site is Default-First-Site-Name
10:16:13 Cannot Join with DC DC.example.com , searching another DC to join with
10:16:13 Searching for DC in domain EXAMPLE.COM
10:16:13 Found DC: DC2.example.com , client site is Default-First-Site-Name , dc site is Default-First-Site-Name
10:16:13 Cannot Join with DC DC2.example.com , searching another DC to join with
10:16:13 Searching for DC in domain EXAMPLE.COM
10:16:13 Found DC: DC2.example.com , client site is Default-First-Site-Name , dc site is Default-First-Site-Name
10:16:13 Cannot Join with DC DC2.example.com , searching another DC to join with
10:16:13 Searching for DC in domain EXAMPLE.COM
10:16:13 Found DC: DC.example.com , client site is Default-First-Site-Name , dc site is Default-First-Site-Name
10:16:13 Cannot Join with DC DC.example.com , searching another DC to join with
10:16:13 Searching for DC in domain EXAMPLE.COM

DNS and NTP servers have been configured to ISE, ISE ping the domain, nslookup also sees the domain. I also added an entry in the ISE domain DNS.
I think the problem lies in : Cannot Join with DC DC.example.com.

But I don't know what the problem is or if any of you have encountered the problem.

Re: Cannot join ISE to Acive Directory(Cannot Join with DC)

Mark Elsen — Thu, 27 Apr 2023 12:26:31 GMT

- Checkout : https://community.cisco.com/t5/network-security/ise-cannot-join-active-directory/m-p/4290258#M1078414

Re: Cannot join ISE to Acive Directory(Cannot Join with DC)

thomas — Sun, 07 May 2023 17:24:09 GMT

Hopefully you are not actually using dc.example.com since that is not real.

It is good you can ping the domain but maybe other protocols (LDAP, Kerberos) are filtered by a firewall between ISE and your AD?

I suggest calling TAC for troubleshooting at this point.

topic Re: Cannot join ISE to Acive Directory(Cannot Join with DC) in Network Access Control

Cannot join ISE to Acive Directory(Cannot Join with DC)

Re: Cannot join ISE to Acive Directory(Cannot Join with DC)

Re: Cannot join ISE to Acive Directory(Cannot Join with DC)