topic Re: ISE deployment with 2 different Active Directory servers in Network Access Control

ISE deployment with 2 different Active Directory servers

victor-hugo — Wed, 22 Jan 2025 16:00:38 GMT

Hello all,

I am running ISE v3.1.0 with 2 nodes as PAN/PSN/MnT.
I need for second node to connect with different Active Directory Server in other subnet.
I've try with second node to Leave domain, but when I Join again is connecting to the same AD server as primary node.
In tab 'PassiveID' there is AD server that I want to connect to.
In CLI on second node I've setup new AD servers:
'ip name-server AD1newIPaddress AD2newIPaddress'
Reboot the ISE node, try to join domain again - did not work.
How this can be done?
Any ideas what I can try?

Re: ISE deployment with 2 different Active Directory servers

ccieexpert — Wed, 22 Jan 2025 20:52:06 GMT

if they are part of a single cluster, then the config is shared.. so all nodes will have the same AD and other configuraiton parameters.

You can add a 2nd AD domain to the cluster, and have a identity source sequence to authenticate with both AD servers, or authentication policy can use one AD join point for some devices/other criteria and 2nd AD join point for other NAS/criteria.. what is your use case ?

Re: ISE deployment with 2 different Active Directory servers

victor-hugo — Fri, 24 Jan 2025 11:48:47 GMT

I have single cluster.
I want migrate AD server. I want to second ISE node use only different AD server. Then shutdown primary ISE node and promote secondary as primary with new AD server.
Should I setup nodes as standalone to be able to do it?

Re: ISE deployment with 2 different Active Directory servers

Marcelo Morais — Fri, 24 Jan 2025 14:25:02 GMT

Hi @victor-hugo ,

as @ccieexpert already said, you are able to:

In Administration > Identity Management > External Identity Sources > Active Directory > Add the new Joint Point (Active Directory):

In Administration > Identity Management > Identity Source Sequences > select the Join Points (both Active Directory) to the Authentication Search List:

After that in Policy > Policy Sets > you should select the new Identity Source Sequence in your Authentication Policy:

Hope this helps !!!

Re: ISE deployment with 2 different Active Directory servers

ccieexpert — Sat, 25 Jan 2025 00:50:54 GMT

It is not clear what you are trying to do exactly other than migrate AD server... but if you want to different AD server for each ISE, then it is best to keep them standalone. If you just need to sync the database (like NAS and policies etc), you can make them a cluster and sync from primary to secondary ,and then make them standalone after that, or you can take a backup from one device and restore on the other. Ofcourse, on the 2nd ISE BOX, you have to delete the first AD join point, and add the 2nd AD join point only... does that help ?

Re: ISE deployment with 2 different Active Directory servers

Aref Alsouqi — Sat, 25 Jan 2025 15:04:27 GMT

I don't believe you can manage that unless you break ISE cluster into two standalone servers. The command "ip name-server" is just to define the DNS servers on ISE, however, it does decide which AD server will be elected as the primary from ISE perspective. I'm assuming that all the old and the new AD servers are in the same forest, if so, then nothing should happen when you migrate to the new AD and you shutdown the old one. For instance, you can keep working on your AD migration without thouching anything on ISE, and once you finish the migration and the old AD servers are decommisioned, ISE will then find its way to the new AD servers.

Re: ISE deployment with 2 different Active Directory servers

victor-hugo — Mon, 27 Jan 2025 08:39:12 GMT

Hey all, thanks for your help. I am new to ISE, so please understand my lack of experience.
For now I just want to have ISE with 2 different AD server to tested.
End goal here is that old ADs will be shutdown as we moving to new data center with new AD servers.
ISE 'see' new AD servers in Administration > Identity Management > External Identity Sources > Active Directory > PassiveID

If old ADs will be shutdown, will ISE automatically switch to AD servers that are available - the once form PassiveID list?

Thank you all for your input.

Re: ISE deployment with 2 different Active Directory servers

Aref Alsouqi — Mon, 27 Jan 2025 14:15:30 GMT

That will be what I expect. In fact when we join ISE to the domain we don't specify the individual AD servers, we just use the domain and then through DNS ISE finds all the involved domain controllers.

I think you can use one of the following commands on ISE CLI to get an idea of what ISE sees in terms of the AD servers in the background:

nslookup _ldap._tcp.dc._msdcs.< your-domain-name > querytype SRV
nslookup _ldap._tcp.gc._msdcs.< your-domain-name > querytype SRV

Re: ISE deployment with 2 different Active Directory servers

victor-hugo — Mon, 27 Jan 2025 15:52:00 GMT

@Aref thanks for your help.
From ISE CLI I get new AD server IP.
Once again thank you all for your help here.

Re: ISE deployment with 2 different Active Directory servers

Aref Alsouqi — Tue, 28 Jan 2025 09:09:16 GMT

You are very welcome, Victor.