Showing results for 
Search instead for 
Did you mean: 

CSCuy89909 - ISE Taking The Wrong Information From AD Query


I am mainly Active Directory / Server support professional.  What I have noticed with this specific bug is how PDC holding AD server is affected by the Psuedo authentication request. As you might know, the PDC role is a shared service by the AD member Domain Controller when it comes to SamLogon both for users and computer objects.  

The ISE initiated logon request seems to have a domino effect with the SamLogon requests are being sent to the PDC role holding domain controller.  


Looking at configuration options from the ISE side, the manner in which member domains are selected by ISE does not seem to have filtering options - as in deselecting particular role holding DCs from being utilized for the SamLogon: Network Logon process.


Since it is very simple to find out which DC in the forest is holding the PDC role, why not come up with a selection process so that DCs holding PDC / RID roles are excluded?  


This bug is causing service outage regulary and to work around it, I came up with a simple script that would detect debug (see attached) entries for ISE server and depending on the average Semaphore Acquires (more than 10K) - I simply do NetLogon service reset.  If the affected DC is PDC, I move the role to server that is not selected by ISE (which happens very randomly).


This seems like a simple update in some subroutine of the given application to exclude PDC / RID holding DCs to be excluded from ISE random affinity to any DC in a given forest.    

0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers