topic How to Join AD to multiple domains in Network Access Control

How to Join AD to multiple domains

llomjaria — Wed, 05 Jun 2024 08:17:10 GMT

Hello,

I have ISE 3.2 two node deployment. I have joined them to domain abc.com. ISE uses DNS servers of abc.com domain.

Now I want to join ISE nodes to another independent domain efg.com. I have created host aliases for efg.com pointing IP addresses of efg.com domain controller (ip host 192.168.1.2 efg.com). Ping to efg.com is successful but I am not able to join ISE.

I have started tcp dump on ISE and when I try to join to efg.com it does not send any traffic to efg.com.

This is the result of tests from ISE:

Am I missing something?

Re: How to Join AD to multiple domains

Arne Bier — Wed, 05 Jun 2024 20:13:59 GMT

I am not an AD expert, but if the other efg.com domain is not sharing/exchanging some of its DNS records with abc.com, then ISE (sitting on abc.com?) won't be able to resolve all the DNS records for efg.com (SRV records etc.).

Re: How to Join AD to multiple domains

llomjaria — Thu, 06 Jun 2024 11:11:23 GMT

These two domain controllers are independent of each other, they do NOT have any trust between them.

I want to know how to add second active directory in ISE. I could not find technical information about it.

Re: How to Join AD to multiple domains

Marvin Rhoads — Thu, 06 Jun 2024 12:29:14 GMT

You need configured DNS server(s) that able to resolve all of the second domain's records. Simply putting a host record for the domain controller will not suffice. Look, for example, at all the tests that run during an AD daily health check. Those should be able to pass for both domains.

Re: How to Join AD to multiple domains

ccieexpert — Sat, 08 Jun 2024 05:57:19 GMT

i have done it.. its just like defining the first one... but as Marvin says you need to have DNS resolve both domains..