cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
145890
Views
1
Helpful
4
Replies

can't join AD from ISE

andrea-florio
Level 1
Level 1

Trying to join AD but we get this:

Err

or Description:

Support Details...
Error Name: LW_ERROR_LDAP_CONSTRAINT_VIOLATION
Error Code: 40315

Detailed Log:

Error Description :
Cannot Set Attribute DNSHostName , Active Directory Returned Ldap Constraint Error While Trying To Set Attribute

Error Resolution :
Please Check For Sufficient Permissions To Create User Object , If The User Has The Sufficient Permissions Please Try To Join Again.

Join Steps :
09:36:49 Joining To Domain EU.xxxxx.COM Using User Svc-mi-Infraservices@xxxxx.com
09:36:49 Searching For DC In Domain EU.xxxxx.COM
09:36:53 Found DC: xxxx.eu.xxxxx.com , Client Site Is xxxx , Dc Site Is xxxxx
09:36:53 Checking Credentials For User Svc-mi-Infraservices@xxxxx.com
09:36:53 Getting TGT For Account Svc-mi-Infraservices@xxxxx.COM
09:36:53 TGT For Account Svc-mi-Infraservices@xxxxx.COM Was Retrieved Successfully
09:36:53 Credentials For User Svc-mi-Infraservices@xxxxx.com Were Verified
09:36:53 Searching For DC In Domain EU.xxxxx.COM
09:36:56 Found DC: EU-xxxxx.eu.xxxxx.com , Client Site Is xxxxx , Dc Site Is xxxxx
09:36:56 Generating Account Name For ISE Machine In EU.xxxxx.COM
09:36:56 Searching For An Existing Machine Account
09:36:56 Searching Object By Filter : (&(objectCategory=computer)(servicePrincipalName=host/my-cisco-ise01.eu.xxxxx.com))
09:36:56 Account: my-cisco-ise01 Was Not Found
09:36:56 Searching For An Existing Machine Account
09:36:56 Searching Object By Filter : (&(objectClass=computer)(sAMAccountName=xxxxx-0GJRLDB$))
09:36:56 Account: xxxxx-0GJRLDB$ Was Found
09:36:56 ISE Machine Account Name Is : xxxxx-0GJRLDB$
09:36:56 Creating Machine Account xxxxx-0GJRLDB$
09:36:56 Connecting To AD Using DC EU-xxxxx.eu.xxxxx.com
09:36:56 Connection To EU-xxxxx.eu.xxxxx.com Established
09:36:57 Opening Domain HM-EU
09:36:57 Domain HM-EU Was Opened Successfully
09:36:57 Machine Account: xxxxx-0GJRLDB$ Already Exists , Opening Account.
09:36:57 Machine Account xxxxx-0GJRLDB$ Was Opened Successfully
09:36:57 Querying Account xxxxx-0GJRLDB$ Info
09:36:57 Account xxxxx-0GJRLDB$ Information Was Retrieved Successfully
09:36:57 Enabling Machine Account : xxxxx-0GJRLDB$
09:36:57 Machine Account xxxxx-0GJRLDB$ Was Enabled Successfully
09:36:57 Setting Password For Account : xxxxx-0GJRLDB$
09:36:57 Password For Account: xxxxx-0GJRLDB$ Was Setted Successfully
09:36:57 Account xxxxx-0GJRLDB$ Was Created Successfully
09:36:57 Verify That Machine Account: xxxxx-0GJRLDB$ Is Accessable
09:36:57 Searching Object By Filter : (&(objectClass=computer)(sAMAccountName=xxxxx-0GJRLDB$))
09:36:57 Machine Account xxxxx-0GJRLDB$ Is Accessable With DN: CN=xxxxx-0GJRLDB,CN=Computers,DC=eu,DC=xxxxx,DC=com
09:36:57 Setting Attributes To Object: CN=xxxxx-0GJRLDB,CN=Computers,DC=eu,DC=xxxxx,DC=com
09:36:57 Setting Attribute DNSHostName : my-cisco-ise01.eu.xxxxx.com To Object
09:36:57 Cannot Set Attribute DNSHostName , Active Directory Returned Ldap Constraint Error While Trying To Set Attribute

 

 

any idea what's wrong? 

4 Replies 4

Torbjørn
Spotlight
Spotlight

It seems that the user account you are joining the ISE to AD with is unable to edit the machine object.

Note that the user you are adding ISE to AD with is only used during the process of joining. You can hence likely use your regular "admin" credentials for this instead of using a limited permissions service account.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

balaji.bandi
Hall of Fame
Hall of Fame

Are you admin of LDAP - if so suggest to create a Service account which has right to join ISE in to Domain.

Second check any already added Entries  of ISE - If so delete and try again.

Cannot Set Attribute DNSHostName  - check also is the DNS Entry for the ISE is correct (verify)

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Jonny Bacoz
Level 1
Level 1

The error code 40315, known as "LW_ERROR_LDAP_CONSTRAINT_VIOLATION," signifies an issue encountered while configuring the DNSHostName attribute for the machine account in Active Directory. This problem usually arises due to insufficient permissions granted to the user account responsible for the operation or due to limitations within the AD schema. To resolve this, ensure that the user possesses the required permissions to create and modify computer objects within the domain. Additionally, verify that the value assigned to the DNSHostName attribute adheres to the AD schema requirements and that no policies or constraints are impeding the update.