cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

267
Views
10
Helpful
2
Replies
Highlighted
Contributor

ISE - External Identity Sources - Active Directory - Joining Servers To Domain

Easy question. After ISE joins the domain, all of the ISE servers (Admin, Monitor, and Policy Nodes) are located in the Computers OU.  Can we move these ISE servers to a different OU? Is there documentation stating it is ok, or a recommendation to move these to a different OU?

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advocate

Re: ISE - External Identity Sources - Active Directory - Joining Servers To Domain

One way to avoid this is to use the following option during join, from the AD join documentation.

 

Step 7 - (Optional) Check the Specify Organizational Unit checkbox.
You should check this checkbox in case the Cisco ISE node machine account is to be located in a specific Organizational Unit other than CN=Computers,DC=someDomain,DC=someTLD. Cisco ISE creates the machine account under the specified organizational unit or moves it to this location if the machine account already exists. If the organizational unit is not specified, Cisco ISE uses the default location. The value should be specified in full distinguished name (DN) format. The syntax must conform to the Microsoft guidelines. Special reserved characters, such as /'+,;=<> line feed, space, and carriage return must be escaped by a backslash (\). For example, OU=Cisco ISE\,US,OU=IT Servers,OU=Servers\, and Workstations,DC=someDomain,DC=someTLD. If the machine account is already created, you need not check this checkbox. You can also change the location of the machine account after you join to the Active Directory domain.

Capture.JPG

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_01110.html?bookSearch=true#ID612

 

Now as for moving the machines after the fact, no issue. I can't find it in the documentation but I did just try it in the lab. No issues moving it after joining or with restarting the AD connector, all the lookups I performed passed fine. Another option if it makes you feel better about it.  You can create machine accounts in the OU you want prior to joining ISE to AD. Ex, manually create machine accounts in a server OU, join AD, ISE leaves them where they were created.

View solution in original post

2 REPLIES 2
VIP Advocate

Re: ISE - External Identity Sources - Active Directory - Joining Servers To Domain

One way to avoid this is to use the following option during join, from the AD join documentation.

 

Step 7 - (Optional) Check the Specify Organizational Unit checkbox.
You should check this checkbox in case the Cisco ISE node machine account is to be located in a specific Organizational Unit other than CN=Computers,DC=someDomain,DC=someTLD. Cisco ISE creates the machine account under the specified organizational unit or moves it to this location if the machine account already exists. If the organizational unit is not specified, Cisco ISE uses the default location. The value should be specified in full distinguished name (DN) format. The syntax must conform to the Microsoft guidelines. Special reserved characters, such as /'+,;=<> line feed, space, and carriage return must be escaped by a backslash (\). For example, OU=Cisco ISE\,US,OU=IT Servers,OU=Servers\, and Workstations,DC=someDomain,DC=someTLD. If the machine account is already created, you need not check this checkbox. You can also change the location of the machine account after you join to the Active Directory domain.

Capture.JPG

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_01110.html?bookSearch=true#ID612

 

Now as for moving the machines after the fact, no issue. I can't find it in the documentation but I did just try it in the lab. No issues moving it after joining or with restarting the AD connector, all the lookups I performed passed fine. Another option if it makes you feel better about it.  You can create machine accounts in the OU you want prior to joining ISE to AD. Ex, manually create machine accounts in a server OU, join AD, ISE leaves them where they were created.

View solution in original post

Contributor

Re: ISE - External Identity Sources - Active Directory - Joining Servers To Domain

Very precise and thorough answer. I really appreciate your time.