Showing results for 
Search instead for 
Did you mean: 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


ISE domain for distributed deployment

Deploying multiple PSN's with a distributed deployment, do all the PSN's have to be in the same domain? I have 6 set up in one domain, and would like to run a few more through firewalls and using a different dns domain.

Also interested to see how AD integration works with this. I'd still expect to join the nodes to the common AD domain. Would they be able to join an AD domain which isn't linked with their FQDN?

I'm hoping that running the other policy nodes on an external domain, I can use a standard CSR for the external public certs.

All comments, suggestions, spoliers welcomed!

Everyone's tags (5)

Re: ISE domain for distributed deployment

To explain my poor wording, I'm looking to connect all nodes to the same AD domain, but some of them sit in a different DNS domain. Warping my mind trying to figure out if it's a problem

Cisco Employee

Re: ISE domain for distributed deployment

The DNS domains of the ISE nodes may differ from that of the AD domain.

For example, we may have an ISE node with FQDN and join it to an AD domain demo.local. Therefore, we could have ISE nodes with different DNS domains all join to the same AD domain. The main requirement is that the DNS servers configured in the ISE node need to be able to resolve all the records for the AD domains.

Please take a look at

What's new in ISE Active Directory connector - BRKSEC-2132 in On-Demand Library - Cisco Live Global Events


Active Directory Integration with Cisco ISE 2.x - Cisco