Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
12366
Views
22
Helpful
5
Replies

Cisco ISE AD Domain Controller connection

Go to solution
Hkelling1988
Level 1
Level 1

‎07-24-2018 01:59 AM

Hi all,

I have a redundant Cisco ISE deployment

 

ise1

ise2

 

 AD domain (2 domain controllers)

 

ad1

ad2

 

Normally the ad connection looks like:

 

ise1-ad1

ise2-ad2

 

but sometimes like

 

ise1-ad1

ise2-ad1

 

Can someone please tell me about his experience? Is this a normal behavior? In my opinion always both DCs should be connected or am I wrong?

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jalemanp
Cisco Employee
Cisco Employee

‎07-24-2018 10:11 AM - edited ‎07-24-2018 10:12 AM

What ISE is doing when picking up one DC or the other is perfectly expected.
To understand how this process takes place you can read the section "DC Discovery" from this document "Active Directory Integration with Cisco ISE 2.x":

https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ise_active_directory_integration/b_ISE_AD_integration_2x.html

DC Discovery
AD connector selects a domain controller (DC) for a given domain as follows:

Performs a DNS SRV query (not scoped to a site) to get a full list of domain controllers in the domain.
Performs DNS resolution for DNS SRVs that lack IP addresses.
Sends CLDAP ping requests to domain controllers according to priorities in the SRV record and processes only the first response, if any. The CLDAP response contains the DC site and client site (for example, site to which the Cisco ISE machine is assigned).
If the DC site and client site are the same, the response originator (that is, DC) is selected.
If the DC site and client site are not the same, the AD Connector performs a DNS SRV query scoped to the discovered client site, gets the list of domain controllers serving the client site, sends CLDAP ping requests to these domain controllers, and processes only the first response, if any. The response originator (that is, DC) is selected. If there is no DC in the client's site serving the site or no DC currently available in the site, then the DC detected in Step 2 is selected.
You can influence the domain controllers that Cisco ISE uses by creating and using an Active Directory site. See the Microsoft Active Directory documentation on how to create and use sites.
Cisco ISE also provides the ability to define a list of preferred DCs per domain. This list of DCs will be prioritized for selection before DNS SRV queries. But this list of preferred DCs is not an exclusive list. If the preferred DCs are unavailable, other DCs are selected. You can create a list of preferred DCs in the following cases:

The SRV records are bad, missing or not configured.
The site association is wrong or missing or the site cannot be used.
The DNS configuration is wrong or cannot be edited.

View solution in original post

5 Replies 5

Go to solution
rcheyfit
Level 4
Level 4

‎07-24-2018 02:54 AM - edited ‎07-24-2018 03:12 AM

 
Rachel Cheyfitz
WRITER.TECHNICAL
rcheyfit@cisco.com
Tel: +972 9 892 7012
0 Helpful

Go to solution
Hkelling1988
Level 1
Level 1
In response to rcheyfit

‎07-24-2018 02:58 AM

I´m not sure if I understand correctly. Do you really think it´s a licensing topic?

0 Helpful

Go to solution
rcheyfit
Level 4
Level 4
In response to Hkelling1988

‎07-24-2018 03:13 AM

Not necessarily. I accidentally posted here instead of a separate, albeit somewhat related issue. Apologies.
Rachel Cheyfitz
WRITER.TECHNICAL
rcheyfit@cisco.com
Tel: +972 9 892 7012
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎07-24-2018 09:33 AM

this is all determined by AD sites and services. would recommend you look through Cisco Live content by Chris Murray on the subject.
https://www.ciscolive.com/global/on-demand-library/?search=chris%20murray#/session/14525434149870017MRf
What's new in ISE Active Directory connector - BRKSEC-2132

If you need more debugging would recommend opening tac case
0 Helpful

Go to solution
jalemanp
Cisco Employee
Cisco Employee

‎07-24-2018 10:11 AM - edited ‎07-24-2018 10:12 AM

What ISE is doing when picking up one DC or the other is perfectly expected.
To understand how this process takes place you can read the section "DC Discovery" from this document "Active Directory Integration with Cisco ISE 2.x":

https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ise_active_directory_integration/b_ISE_AD_integration_2x.html

DC Discovery
AD connector selects a domain controller (DC) for a given domain as follows:

Performs a DNS SRV query (not scoped to a site) to get a full list of domain controllers in the domain.
Performs DNS resolution for DNS SRVs that lack IP addresses.
Sends CLDAP ping requests to domain controllers according to priorities in the SRV record and processes only the first response, if any. The CLDAP response contains the DC site and client site (for example, site to which the Cisco ISE machine is assigned).
If the DC site and client site are the same, the response originator (that is, DC) is selected.
If the DC site and client site are not the same, the AD Connector performs a DNS SRV query scoped to the discovered client site, gets the list of domain controllers serving the client site, sends CLDAP ping requests to these domain controllers, and processes only the first response, if any. The response originator (that is, DC) is selected. If there is no DC in the client's site serving the site or no DC currently available in the site, then the DC detected in Step 2 is selected.
You can influence the domain controllers that Cisco ISE uses by creating and using an Active Directory site. See the Microsoft Active Directory documentation on how to create and use sites.
Cisco ISE also provides the ability to define a list of preferred DCs per domain. This list of DCs will be prioritized for selection before DNS SRV queries. But this list of preferred DCs is not an exclusive list. If the preferred DCs are unavailable, other DCs are selected. You can create a list of preferred DCs in the following cases:

The SRV records are bad, missing or not configured.
The site association is wrong or missing or the site cannot be used.
The DNS configuration is wrong or cannot be edited.

Customers Also Viewed These Support Documents
Top