Solved: Cisco ISE AD Domain Controller connection

Hkelling1988 · ‎07-24-2018

Hi all,

I have a redundant Cisco ISE deployment

ise1

ise2

AD domain (2 domain controllers)

ad1

ad2

Normally the ad connection looks like:

ise1-ad1

ise2-ad2

but sometimes like

ise1-ad1

ise2-ad1

Can someone please tell me about his experience? Is this a normal behavior? In my opinion always both DCs should be connected or am I wrong?

jalemanp · ‎07-24-2018

What ISE is doing when picking up one DC or the other is perfectly expected.
To understand how this process takes place you can read the section "DC Discovery" from this document "Active Directory Integration with Cisco ISE 2.x":

https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ise_active_directory_integration/b_ISE_AD_integration_2x.html

DC Discovery
AD connector selects a domain controller (DC) for a given domain as follows:

Performs a DNS SRV query (not scoped to a site) to get a full list of domain controllers in the domain.
Performs DNS resolution for DNS SRVs that lack IP addresses.
Sends CLDAP ping requests to domain controllers according to priorities in the SRV record and processes only the first response, if any. The CLDAP response contains the DC site and client site (for example, site to which the Cisco ISE machine is assigned).
If the DC site and client site are the same, the response originator (that is, DC) is selected.
If the DC site and client site are not the same, the AD Connector performs a DNS SRV query scoped to the discovered client site, gets the list of domain controllers serving the client site, sends CLDAP ping requests to these domain controllers, and processes only the first response, if any. The response originator (that is, DC) is selected. If there is no DC in the client's site serving the site or no DC currently available in the site, then the DC detected in Step 2 is selected.
You can influence the domain controllers that Cisco ISE uses by creating and using an Active Directory site. See the Microsoft Active Directory documentation on how to create and use sites.
Cisco ISE also provides the ability to define a list of preferred DCs per domain. This list of DCs will be prioritized for selection before DNS SRV queries. But this list of preferred DCs is not an exclusive list. If the preferred DCs are unavailable, other DCs are selected. You can create a list of preferred DCs in the following cases:

The SRV records are bad, missing or not configured.
The site association is wrong or missing or the site cannot be used.
The DNS configuration is wrong or cannot be edited.

View solution in original post

rcheyfit · ‎07-24-2018

Rachel Cheyfitz
WRITER.TECHNICAL
rcheyfit@cisco.com
Tel: +972 9 892 7012

Hkelling1988 · ‎07-24-2018

I´m not sure if I understand correctly. Do you really think it´s a licensing topic?

rcheyfit · ‎07-24-2018

Not necessarily. I accidentally posted here instead of a separate, albeit somewhat related issue. Apologies.

Rachel Cheyfitz
WRITER.TECHNICAL
rcheyfit@cisco.com
Tel: +972 9 892 7012

Jason Kunst · ‎07-24-2018

this is all determined by AD sites and services. would recommend you look through Cisco Live content by Chris Murray on the subject.
https://www.ciscolive.com/global/on-demand-library/?search=chris%20murray#/session/14525434149870017MRf
What's new in ISE Active Directory connector - BRKSEC-2132

If you need more debugging would recommend opening tac case

jalemanp · ‎07-24-2018

What ISE is doing when picking up one DC or the other is perfectly expected.
To understand how this process takes place you can read the section "DC Discovery" from this document "Active Directory Integration with Cisco ISE 2.x":

https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ise_active_directory_integration/b_ISE_AD_integration_2x.html

DC Discovery
AD connector selects a domain controller (DC) for a given domain as follows:

Performs a DNS SRV query (not scoped to a site) to get a full list of domain controllers in the domain.
Performs DNS resolution for DNS SRVs that lack IP addresses.
Sends CLDAP ping requests to domain controllers according to priorities in the SRV record and processes only the first response, if any. The CLDAP response contains the DC site and client site (for example, site to which the Cisco ISE machine is assigned).
If the DC site and client site are the same, the response originator (that is, DC) is selected.
If the DC site and client site are not the same, the AD Connector performs a DNS SRV query scoped to the discovered client site, gets the list of domain controllers serving the client site, sends CLDAP ping requests to these domain controllers, and processes only the first response, if any. The response originator (that is, DC) is selected. If there is no DC in the client's site serving the site or no DC currently available in the site, then the DC detected in Step 2 is selected.
You can influence the domain controllers that Cisco ISE uses by creating and using an Active Directory site. See the Microsoft Active Directory documentation on how to create and use sites.
Cisco ISE also provides the ability to define a list of preferred DCs per domain. This list of DCs will be prioritized for selection before DNS SRV queries. But this list of preferred DCs is not an exclusive list. If the preferred DCs are unavailable, other DCs are selected. You can create a list of preferred DCs in the following cases:

The SRV records are bad, missing or not configured.
The site association is wrong or missing or the site cannot be used.
The DNS configuration is wrong or cannot be edited.