Solved: Re: Cannot join AD in ISE 2.4 | CLOCK_SKEW

bcotaz · ‎07-30-2019

Hi,

I'm trying to join my AD in ISE but getting an error.

ISE is at 2.4

AD is Microsoft Server 2016

Here is the complete error:

Result for ISE node: ise.securitydemo.net.

Status: Join Operation Failed: Clock skew detected with active directory server

Error Description: Clock Skew Detected With Active Directory Server

Support Details...

Error Name: LW_ERROR_CLOCK_SKEW

Error Code: 40087

Detailed Log:

08:53:12 Joining To Domain MXXXAKI.COM Using User Administrator

08:53:12 Searching For DC In Domain MXXXAKI.COM

08:53:12 Found DC: WIN-3CE3A93D7R1.mxxxaki.com , Client Site Is Default-First-Site-Name , Dc Site Is Default-First-Site-Name

08:53:12 Checking Credentials For User Administrator

08:53:12 Getting TGT For Account Administrator@MXXXAKI.COM

I've set up my AD as the NTP and DNS.

Here's a screen capture of show NTP in ISE.

I've also set Root Dispersion to zero already, please see attached.

Thank you,

Brian

bcotaz · ‎08-04-2019

Closing out on this one. I was able to successfully integrate AD by manually adjusting ISE clock in the CLI using the command "clock set"

View solution in original post

Surendra · ‎07-30-2019

Your ISE isn't in Sync with your NTP server as you can see that the selected time source is not your NTP server. Check if your NTP server is up and running. Are there any devices that are in sync with your NTP server? Check this if it helps . https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/119371-technote-ise-00.html

bcotaz · ‎07-31-2019

Hi Serendra,

I tried using google NTP server already, but my current time source is still 127.127.1.0.
Any idea how to force the ISE NTP to my configured google ntp server?
Screenshot below.

[cid:image001.png@01D547DB.DF7C8FB0]

Thanks,
Brian

Damien Miller · ‎07-31-2019

127.127.1.0 is always listed first.

bcotaz · ‎08-04-2019

Closing out on this one. I was able to successfully integrate AD by manually adjusting ISE clock in the CLI using the command "clock set"

kostasthedelegate · ‎12-10-2019

Hello,

The time you put was with seconds?

Did it require a restart after the command?

Regards,

Konstantinos

hslai · ‎12-14-2019

An ISE service restart is recommended but not required. Yes, the command needs seconds specified. As long as the time differences are within 5 minutes, the AD join would usually work.

Nonetheless, I would suggest to get a good time source, which is reachable within your infrastructure by both AD, ISE, and others, and have all their clocks synchronized to it. This makes it easier to look at the logs if we need to troubleshoot anything.