The error is exactly what it said.  My AD is working fine.  I've seen this message in both ISE 2.2, 2.6 and now ISE 3.0. 

Hi @david.tran,

Have you tried to run AD Diagnostic Tool manually? What results do you get there?

BR,

Milos

same problem.  I am seeing this issue in both ISE 2.6 patch 4 and ISE 3.0 patch 3. 

Test Name :DNS SRV record query
Description :Query for DNS SRV record using resolv.conf configuration and gethostbyaddr
Instance :CCIESEC
Status :Warning
Start Time :19:49:37 19.08.2021 UTC
End Time :19:49:37 19.08.2021 UTC
Duration :<1 sec
Result and Remedy...
SRV record found.Not all SRV records have IP, will need to run additional query for get IP.

Check Cisco bug database and see quite a bit about this issue.

This is not an ISE issue. ISE simply warns you that not all of your Domain Controllers have IP address defined in SRV record, and that it will have to perform recursive lookup.

Try running 'nslookup domain.example', and you'll see that you have entries defined there as DNS names. You'll have to fix this on your DNS level.

BR,
Milos

I perform "dig @x.x.x.x domain.example" and I have all of the DNS names define.  It is definitely not a DNS issue.

You have them for sure, but some of them are defined with DNS names, not with IP addresses. For those, ISE will need to do another lookup, recursive one, and this is what this alarm is for - ISE warns you that some DNS records don't have IPs, and that it will need to do a recursive lookup.

As you already noted, everything continues to work, as either way ISE is able to resolve even those (it just have an extra step).

BR,

Milos

I am not sure I follow what you said.  All of my DNS records have IPs, for BOTH forward and recursive lookup.

If it tells me some DNS records don't have IPs, how do I know which one is missing?

Edit:  I took a capture of the tcpdump on port 53 on the ISE appliance and I see in the capture that all standard queries in both UDP and TCP are resolved by the DNS server with standard response, nothing is missing so everything is working; however, I am still seeing this alarm.

I managed to find detail and great explanaton in this blog.

BR,

Milos

@Milos_Jovanovic:  This is an excellent find.  Thank you.

That being said, I look at the tcpdump from the ISE appliance I am not seeing any additional RRs from the DNS query response from the DNS server to the ISE so I am not sure this even applies to ISE 3.0.  When I use the dig command as specified in the blog, I am not seeing anymore additional SRV in the query response.

Took me half an hour to explain this issue to the Cisco TAC engineer and I think he finally gets it.  Will wait for TAC response.

Thanks again.