Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2334
Views
0
Helpful
3
Replies

AD Operational/Not Operational

Go to solution
mick5kull
Cisco Employee
Cisco Employee

‎09-04-2018 11:41 PM

Hi experts,

 

Does ISE automatically leave from Active Directory domain and re-join during reboot if it is already joined?

Does ISE periodically communicate with Active Directory DC after it joined to a domain?

 

I read "Active Directory Integration with Cisco ISE 2.x" below but it only describe behavior on application reset or configuration restore.

 

'When you reset the Cisco ISE application configuration from the command-line interface or restore configuration after a backup or upgrade, it performs a leave operation, disconnecting the Cisco ISE node from the Active Directory domain, if it is already joined.'

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/ise_active_directory_integration/b_ISE_AD_integration_2x.html#ID612

 

 

[Background]

My customer says they sometimes see "Not Operational" when checking AD integration status in [Administrator]->[External Identity Source]->AD domain after ISE reboot.

They say there seems no impact to user authentication during "Not Operational", but asking why ISE changes its status.

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
kvenkata1
Cisco Employee
Cisco Employee

‎09-05-2018 09:03 AM

If this is the behavior seen by your customer in production network, it is best handled by TAC. Please request your customer to open a TAC service request.

 

- Krish

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
kvenkata1
Cisco Employee
Cisco Employee

‎09-05-2018 09:03 AM

If this is the behavior seen by your customer in production network, it is best handled by TAC. Please request your customer to open a TAC service request.

 

- Krish

 

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to kvenkata1

‎09-05-2018 09:11 AM

Also part of the reason your authentications may not be affected is because by default is the authentication process fails on a PSN, the PSN will drop the request and allow the NAD to fail over to the another PSN.

 

As Krish said you definitely want to get a TAC case going.

0 Helpful

Go to solution
mick5kull
Cisco Employee
Cisco Employee
In response to paul

‎09-05-2018 06:23 PM

Thanks for your comment.

 

I understand "Not Operational" status after ISE reboot is not expected behavior and need TAC assistance.

 

Do you have any comments on below queries?

 

> Does ISE automatically leave from Active Directory domain and re-join during reboot if it is already joined?
> Does ISE periodically communicate with Active Directory DC after it joined to a domain?

 

If yes, I think customer and I should check network accessibility between ISE and AD controller more before open a SR on ISE.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents