Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
415
Views
0
Helpful
4
Replies

AD automatically unjoin after a network change

cheungchunyu
Level 1
Level 1

‎11-30-2016 09:46 PM - edited ‎03-11-2019 12:15 AM

Hello,

I discover that,some of our client do some network change(affect the connectivity between AD and ACS/ISE),Then ACS/ISE will unjoin AD automatically.We need to rejoin the AD again.

I would like to know that what is reason, ACS/ISE will unjoin the AD .

Any retry timer?

How long will unjoin the AD automatically,if the ACS/ISE cannot reach the AD

Duncan

Labels:
0 Helpful
4 Replies 4

nspasov
Cisco Employee
Cisco Employee

‎12-07-2016 06:19 PM

Hello Duncan-

What type of network changes are you referring to? Also, are the nodes showing as "Disconnected" or completely "Disjoined" from the domain?

You may see this behavior if the communication between the AAA servers and your DCs is unavailable for an extended period of time. However, I have had one of my ISE nodes offline for several days and as soon as it comes back online it gets-reconnected to the domain. 

Also, have you confirmed with your systems team that nobody is deleting/moving the ISE/ACS computer objects? :)

Thank you for rating helpful posts!

0 Helpful

cheungchunyu
Level 1
Level 1
In response to nspasov

‎12-07-2016 07:20 PM

What type of network changes are you referring to? Also, are the nodes showing as "Disconnected" or completely "Disjoined" from the domain?

I didn't remember the status at this moment.But I need to rejoin the AD to resume the services.

As you said" You may see this behavior if the communication between the AAA servers and your DCs is unavailable for an extended period of time.." I want to know the exactly the maximum value of the time period before the ACS unjoin or disconnect to AD.As the customer always ask this question.

You mention your case it is shutdown the ISE node,It is different from my case.In my case all the ACS/ISE/AD is alive,but the ACS/ISE cannot reach the AD only.(firewall change / switch/router maint window)

I can sure they type of case is often happen,so I believe that it is not related to deleting/moving the ACS/ISE computer object.(I know this will affect the ACS joining AD status,but it is not a one customer report to me.)

I am opened a case to cisco and the question is passed to BU(dev team),But I am still waiting the official answer from cisco.

Anyway,thank you for your share.

 

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to cheungchunyu

‎12-17-2016 01:02 PM

Were you able to resolve this and did you hear back from TAC?

0 Helpful

cheungchunyu
Level 1
Level 1
In response to nspasov

‎12-17-2016 03:22 PM

Hello,

I am still waiting the tac reply.

He will resume to work at 19 Dec.

Hope I can get the answer shortly.

Duncan

0 Helpful
Customers Also Viewed These Support Documents