Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
805
Views
1
Helpful
4
Replies

Adding domain controler to AD domain and ISE behaviour

REJR77
Level 1
Level 1

‎03-23-2023 04:09 AM

Hi,

We already have an ISE deployment connected to an AD domain with 2 DC

We are going to add new Domain Controller to the Domain (and remove the old ones later) and would like to know if we need to change things on ISE or if it is transparent since ISE are already joined

REgards

0 Helpful
4 Replies 4

Rodrigo Diaz
Cisco Employee
Cisco Employee

‎03-23-2023 07:38 AM

Hi @REJR77 , as you are going to remove the 2DC from where ISE has created a join, you will have to remove them from the ISE itself as the ISE will continue attempting to query those although they are not longer there ( ISE will not be aware of the changes done within the 2 DC) ,  once you remove them you will have to add the new DC that you are going to implement as replacement , to review more about the ISE-AD operations you can refer to https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/ise_active_directory_integration/b_ISE_AD_integration_2x.html 

Let me know if that helped you . 

0 Helpful

REJR77
Level 1
Level 1
In response to Rodrigo Diaz

‎03-23-2023 08:23 AM

Hi @Rodrigo Diaz 

From what I understand ISE detects domain controllers with DNS requests. Therefore we can not specify on which DC it will connect to join. Am I wrong?

The use case I am referring to is not clearly detailed in the documentation.HHow can we ask ISE to connect to the new servers since everything looks "automatic" ?

Thanks for clarification

0 Helpful

Christopher Bell
Level 4
Level 4
In response to REJR77

‎03-23-2023 10:48 AM

Add the new DC then reboot each of the two older DCs one at a time until ISE picks up the new one.  I'm pretty sure it will find it but I would test before you decom the old ones.  You can see what DC ISE is attached to Administration --> External Identity Sources --> Active Directory --> and then click your deployment.  There will be a "Domain Controller" column that lists the DC each node is attached to.  ISE is built to join the domain like any computer or server, not to a specific domain controller so I would be surprised if you have to do anything other than making sure you are attached to new one before killing the old ones. 

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee
In response to REJR77

‎03-23-2023 02:50 PM

Like other computers and member servers in Active Directory, ISE learns which Domain Controller it should communicate with from AD Sites and Services. You would need to ensure that the subnet used by ISE is associated with the appropriate Site and DC and ISE will automatically learn this information. 

Customers Also Viewed These Support Documents