topic Re: ISE cannot join Active directory in Network Access Control

ISE cannot join Active directory

eigrpy — Thu, 11 Feb 2021 05:01:40 GMT

ISE cannot join AD. I got below error messages. One of them mentions "Unreachable Server List:", its right. the dns ip address already changed. but I do not know where i can change the ip address in ISE accordingly. If this is case, can you show where to change the ip address in ISE? Thank you

Detailed Log:

Error Description :
Cannot retrieve TGT for account administrator@ABC.LOCAL , Invalid username or password

Error Resolution :
please check machine account : administrator@ABC.LOCAL password in dc DC3.ABC.local , this error might occur due to replication errors

Join steps :
23:36:35 Joining to domain ABC.LOCAL using user administrator
23:36:35 Searching for DC in domain ABC.LOCAL
23:36:35 Found DC: DC3.ABC.local , client site is Default-First-Site-Name , dc site is Default-First-Site-Name
23:36:35 Checking credentials for user administrator
23:36:35 Getting TGT for account administrator@ABC.LOCAL
23:36:36 Cannot retrieve TGT for account administrator@ABC.LOCAL , Invalid username or password

-------------------------------

Result And Remedy...
The Following Servers Could Not Be Reached, Please Check DNS And Network Configuration. Unreachable Server List:
10.0.10.200

---------------------------------

Test Name :Kerberos check SASL connectivity to AD
Description :Checks secure connectivity to AD (using SASL mechanism)
Instance :DC3
Status :Failed
Start Time :23:54:01 10.02.2021 EST
End Time :23:54:01 10.02.2021 EST
Duration :<1 sec
Result and Remedy...
Could not get Machine account info : Machine is not joined to AD. PBIS error code: NERR_SetupNotJoined. Check Kerberos configuration and network settings

Re: ISE cannot join Active directory

Dinesh Moudgil — Thu, 11 Feb 2021 06:55:57 GMT

Hi David,

Please make sure the AD join credentials are correct and clock is in sync between AD and ISE.

To change DNS server IP, you can use

ise/admin# config t
ise/admin(config)# ip name-server

To do manual mapping of AD IP to name, you may use the following

ise/admin# config t

ise/admin(config)# ip host 1.1.1.1 abc.cisco.com

Thank you,

Dinesh Moudgil

P.S. Please rate helpful posts.

Re: ISE cannot join Active directory

eigrpy — Thu, 11 Feb 2021 14:07:39 GMT

Thanks for your reply.

I want to change dns from 10.0.10.200 to 10.0.10.233, The below is how I did. Looks like I need to remove the original dns before adding new dns. so even I used the second command "no ip name-server 10.0.100.200", and restart, I still have the problem when I use the first command "ip name-server 10.0.10.233"

ISE2/admin(config)# ip name-server 10.0.10.233
% duplicate name-server found
ISE2/admin(config)# no ip name-server 10.0.10.200
DNS Server was modified. If you modified this setting for AD connectivity, you must restart ISE for the change to take effect. Also note for ISE connectivity to AD, ensure all configured DNS servers can resolve all relevant AD DNS records. If this is not the case and current AD join points may not resolve under new DNS settings then it is recommended to manually perform leave and rejoin.
Do you want to restart ISE now? (yes/no)

Re: ISE cannot join Active directory

eigrpy — Thu, 11 Feb 2021 14:31:24 GMT

I let the two dns working(DC1 is old and DC3 is new one). and the IES2 still cannot join. Please the below:

Error Description: Join failed, reached the maximum number of failover attempts

Support Details...
Error Name: LW_ERROR_JOIN_FAILED_REACHED_MAX_RETRIES
Error Code: 60113

Detailed Log:

Error Description :
Join to ABC.LOCAL failed : reached maximum number of failovers

Error Resolution :
Please check for domain controllers connectivity replication problems in domain ABC.LOCAL

Join steps :
09:19:27 Joining to domain ABC.LOCAL using user administrator
09:19:27 Searching for DC in domain ABC.LOCAL
09:19:27 Found DC: DC3.ABC.local , client site is Default-First-Site-Name , dc site is Default-First-Site-Name
09:19:27 Checking credentials for user administrator
09:19:27 Getting TGT for account administrator@ABC.LOCAL
09:19:27 TGT for account administrator@ABC.LOCAL was retrieved successfully
09:19:27 Credentials for user administrator were verified
09:19:27 Searching for DC in domain ABC.LOCAL
09:19:27 Found DC: DC3.ABC.local , client site is Default-First-Site-Name , dc site is Default-First-Site-Name
09:19:27 Generating account name for ISE machine in ABC.LOCAL
09:19:27 Searching for an existing machine account
09:19:27 Searching object by filter : (&(objectCategory=computer)(servicePrincipalName=host/ise2.ABC.local))
09:19:27 Account: ise2 was not found
09:19:27 Searching for an existing machine account
09:19:27 Searching object by filter : (&(objectClass=computer)(sAMAccountName=ISE2$))
09:19:27 Account: ISE2$ was found
09:19:27 ISE Machine account name is : ISE2$
09:19:27 Creating machine account ISE2$
09:19:27 Connecting to AD using DC DC3.ABC.local
09:19:27 Connection to DC3.ABC.local established
09:19:27 Opening domain ABC
09:19:27 Domain ABC was opened successfully
09:19:27 Creating machine account object ISE2$
09:19:27 Cannot Join with DC DC3.ABC.local , searching another DC to join with
09:19:27 Searching for DC in domain ABC.LOCAL
09:19:27 Found DC: DC1.ABC.local , client site is Default-First-Site-Name , dc site is Default-First-Site-Name
09:19:28 Cannot Join with DC DC1.ABC.local , searching another DC to join with
09:19:28 Searching for DC in domain ABC.LOCAL
09:19:28 Found DC: DC3.ABC.local , client site is Default-First-Site-Name , dc site is Default-First-Site-Name
09:19:28 Generating account name for ISE machine in ABC.LOCAL
09:19:28 Searching for an existing machine account
09:19:28 Searching object by filter : (&(objectCategory=computer)(servicePrincipalName=host/ise2.ABC.local))
09:19:28 Account: ise2 was not found
09:19:28 Searching for an existing machine account
09:19:28 Searching object by filter : (&(objectClass=computer)(sAMAccountName=ISE2$))
09:19:28 Account: ISE2$ was found
09:19:28 ISE Machine account name is : ISE2$
09:19:28 Creating machine account ISE2$
09:19:28 Connecting to AD using DC DC3.ABC.local
09:19:28 Connection to DC3.ABC.local established
09:19:28 Opening domain ABC
09:19:28 Domain ABC was opened successfully
09:19:28 Creating machine account object ISE2$
09:19:28 Cannot Join with DC DC3.ABC.local , searching another DC to join with
09:19:28 Searching for DC in domain ABC.LOCAL
09:19:28 Found DC: DC1.ABC.local , client site is Default-First-Site-Name , dc site is Default-First-Site-Name
09:19:28 Cannot Join with DC DC1.ABC.local , searching another DC to join with
09:19:28 Searching for DC in domain ABC.LOCAL
09:19:28 Found DC: DC3.ABC.local , client site is Default-First-Site-Name , dc site is Default-First-Site-Name
09:19:28 Generating account name for ISE machine in ABC.LOCAL
09:19:28 Searching for an existing machine account
09:19:28 Searching object by filter : (&(objectCategory=computer)(servicePrincipalName=host/ise2.ABC.local))
09:19:28 Account: ise2 was not found
09:19:28 Searching for an existing machine account
09:19:28 Searching object by filter : (&(objectClass=computer)(sAMAccountName=ISE2$))
09:19:28 Account: ISE2$ was found
09:19:28 ISE Machine account name is : ISE2$
09:19:28 Creating machine account ISE2$
09:19:28 Connecting to AD using DC DC3.ABC.local
09:19:28 Connection to DC3.ABC.local established
09:19:28 Opening domain ABC
09:19:28 Domain ABC was opened successfully
09:19:28 Creating machine account object ISE2$
09:19:28 Cannot Join with DC DC3.ABC.local , searching another DC to join with
09:19:28 Searching for DC in domain ABC.LOCAL
09:19:28 Found DC: DC1.ABC.local , client site is Default-First-Site-Name , dc site is Default-First-Site-Name
09:19:28 Cannot Join with DC DC1.ABC.local , searching another DC to join with
09:19:28 Searching for DC in domain ABC.LOCAL
09:19:28 Found DC: DC3.ABC.local , client site is Default-First-Site-Name , dc site is Default-First-Site-Name
09:19:28 Generating account name for ISE machine in ABC.LOCAL
09:19:28 Searching for an existing machine account
09:19:28 Searching object by filter : (&(objectCategory=computer)(servicePrincipalName=host/ise2.ABC.local))
09:19:28 Account: ise2 was not found
09:19:28 Searching for an existing machine account
09:19:28 Searching object by filter : (&(objectClass=computer)(sAMAccountName=ISE2$))
09:19:28 Account: ISE2$ was found
09:19:28 ISE Machine account name is : ISE2$
09:19:28 Creating machine account ISE2$
09:19:28 Connecting to AD using DC DC3.ABC.local
09:19:28 Connection to DC3.ABC.local established
09:19:28 Opening domain ABC
09:19:28 Domain ABC was opened successfully
09:19:28 Creating machine account object ISE2$
09:19:28 Cannot Join with DC DC3.ABC.local , searching another DC to join with
09:19:28 Searching for DC in domain ABC.LOCAL
09:19:28 Found DC: DC1.ABC.local , client site is Default-First-Site-Name , dc site is Default-First-Site-Name
09:19:28 Cannot Join with DC DC1.ABC.local , searching another DC to join with
09:19:28 Searching for DC in domain ABC.LOCAL
09:19:28 Found DC: DC3.ABC.local , client site is Default-First-Site-Name , dc site is Default-First-Site-Name
09:19:28 Generating account name for ISE machine in ABC.LOCAL
09:19:28 Searching for an existing machine account
09:19:28 Searching object by filter : (&(objectCategory=computer)(servicePrincipalName=host/ise2.ABC.local))
09:19:28 Account: ise2 was not found
09:19:28 Searching for an existing machine account
09:19:28 Searching object by filter : (&(objectClass=computer)(sAMAccountName=ISE2$))
09:19:28 Account: ISE2$ was found
09:19:28 ISE Machine account name is : ISE2$
09:19:28 Creating machine account ISE2$
09:19:28 Connecting to AD using DC DC3.ABC.local
09:19:28 Connection to DC3.ABC.local established
09:19:28 Opening domain ABC
09:19:28 Domain ABC was opened successfully
09:19:28 Creating machine account object ISE2$
09:19:28 Cannot Join with DC DC3.ABC.local , searching another DC to join with
09:19:28 Searching for DC in domain ABC.LOCAL
09:19:28 Found DC: DC1.ABC.local , client site is Default-First-Site-Name , dc site is Default-First-Site-Name
09:19:28 Cannot Join with DC DC1.ABC.local , searching another DC to join with
09:19:28 Join to ABC.LOCAL failed : reached maximum number of failovers

Re: ISE cannot join Active directory

Dinesh Moudgil — Thu, 11 Feb 2021 14:32:12 GMT

Can you please run "show run | in name-server" and check the exact servers configured ?

Negate that command that you see from the above output under configure terminal (skip the ISE restart this time) and then configure the command again i.e.

ip name-server 10.0.10.233

Re: ISE cannot join Active directory

eigrpy — Thu, 11 Feb 2021 15:19:12 GMT

ISE2/admin# show running-config | i name-server
ip name-server 10.0.10.233

Looks like ISE already use the new dns, but it still cannot join. I run test based on the Diagnostic Tool. Two of them failed: "Kerberos check SASL connectivity to AD"

and "Kerberos test obtaining join point TGT" the detail messages are as below respectively

"Could not get Machine account info : Machine is not joined to AD. PBIS error code: NERR_SetupNotJoined. Check Kerberos configuration and network settings"

"Could not get Machine account info : Machine is not joined to AD. PBIS error code: NERR_SetupNotJoined. Check Kerberos related AD configuration"

I found a link as below, it has the similar situation with me. I checked and did something based on the article, but still not resolve it

https://community.cisco.com/t5/network-access-control/kerberos-check-sasl-connectivity-to-ad/td-p/2785648

Re: ISE cannot join Active directory

Dinesh Moudgil — Thu, 11 Feb 2021 17:22:59 GMT

You might want to make sure you have correct DNS record created on AD for ISE.
Once done, make sure you are able to nslookup AD from ISE and vice versa.

You might not be able to join Cisco ISE with an Active Directory domain if the DNS SRV records are missing (the domain controllers are not advertising their SRV records for the domain that you are trying to join to).

Please review this doc to make sure you have the prerequisites: https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ise_active_directory_integration/b_ISE_AD_integration_2x.html

If that doesn't help,please put the following components on trace and debug respectively

1. active Directory on trace
2. identity-store-AD on debug

Path for this System > Logging > Debug log configuration > Choose ISE Node >

Run the following commands on ISE CLI

terminal length 0
show logging application ad_agent.log tail

and attempt to join the AD again.

Re: ISE cannot join Active directory

eigrpy — Sun, 14 Feb 2021 18:01:39 GMT

Its server issue. Once replacing the server, it can work well. Thank you!

Re: ISE cannot join Active directory

Dinesh Moudgil — Mon, 15 Feb 2021 05:52:59 GMT

Glad to hear, David!

Re: ISE cannot join Active directory

dgaikwad — Thu, 06 Oct 2022 07:25:14 GMT

Hey @eigrpy,
I am facing this same error in my environment.
Could you please share the issue that server had and resolution join ISE back in AD?

Re: ISE cannot join Active directory

vishnuvardhan-gollapudi — Tue, 27 May 2025 06:14:59 GMT

Hi also having the same issue, can you explain how you resolved that error