Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5321
Views
5
Helpful
8
Replies

Cisco ISE with AD Problem: "Could not read groups data: Global catalog not found"

Pongsatorn Maneesud
Level 1
Level 1

‎12-05-2012 08:37 AM - edited ‎03-10-2019 07:51 PM

Hi all,

When I make the ActiveDirectory integration with Cisco ISE, I have complete with this integration. but when I try to read the Groups from Active Directory, ISE shows the message "Could not read groups data: Global catalog not found".

My Domain has multiple sites and subnets, each contains GC for local logon. I have set ISE to the correct site and subnet. Forward and Reverse DNS are working with no error.

Does anyone get this problem, please help.

Screen Shot 2555-12-05 at 11.31.51 PM.png

I have check into the ISE CLI Reference Guide 1.1.x

You are about to configure Active Directory settings.


Are you sure you want to proceed? y/n [n]: y


Parameter Name: dns.servers


Parameter Value: 10.77.122.135


Active Directory internal setting modification should only be performed if approved by ISE 
support. Please confirm this change has been approved y/n [n]: y

What shoud I set in the Parameter Name ? dns.servers or my dns hostname ?

Please suggest for this too.

Thanks and Regards,

Pongsatorn M.

Labels:
0 Helpful
8 Replies 8

jw.sl9
Level 1
Level 1

‎12-05-2012 09:14 AM

Just checking...

  1. Did you join by GUI?
  2. How many Nodes in your deployment? 
  3. Did you join all the nodes running the Policy Service persona?
  4. Why are/did you modify the CLI settings?

And

  1. Have you run a Detail Test?  If not, do so.  If so, zip it up and attach it to a reply post.

I hope you find this answer useful, if it was satisfactory  for you, please mark the question as Answered.

Please rate post you consider useful.
-James

I hope you find this information useful, if it was satisfactory for you, please mark the question as Answered. Please rate post you consider useful. -James

Pongsatorn Maneesud
Level 1
Level 1
In response to jw.sl9

‎12-05-2012 06:15 PM

Hi jw

1. I'm join by GUI.

2. 4 Nodes in my deployment

     2 for Admin with Monitoring

     2 for Policy Service

3. Now I split ISE to Standalone node and try to join AD

4. I just see this CMD in the CLI document and do nothing with this command.

5. I run a Details Test then Its fail but it able to join Domain

in my domain infrastructure, I have 4 Sites contain many subnets inside. Each site contains 2 Server for GC service

DNS record found: _ldap._tcp.xxxx

Found SRV records : more than 10 SRV records

Thanks,

Pongsatorn M.

0 Helpful

jw.sl9
Level 1
Level 1
In response to Pongsatorn Maneesud

‎12-05-2012 07:03 PM

send the detail results


I hope you find this information useful, if it was satisfactory  for you, please mark the question as Answered.

Please rate post you consider useful.
-James

I hope you find this information useful, if it was satisfactory for you, please mark the question as Answered. Please rate post you consider useful. -James
0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to jw.sl9

‎12-05-2012 10:15 PM

Hi,

Do not use google chrome, try using mozilla instead (ise does not play nice with chrome). Also check your sites and services information and see if there domain controllers listed for the subnet that ISE is connected to.

Thanks,

Tarik Admani
*Please rate helpful posts*

Pongsatorn Maneesud
Level 1
Level 1

‎12-06-2012 06:45 AM

Hi,
Site and subnet is set. it still not working.

But I fixes it already using CLI reference guide.
"application configure ise"

ISE should describe more integration requirements about this. :(

Sent from Cisco Technical Support Android App

0 Helpful

gschmitt.ngit
Level 1
Level 1
In response to Pongsatorn Maneesud

‎01-02-2013 11:48 AM

Hi Pongsatorn,

What was your CLI fix for this problem?

I am seeing the same thing in a resent deployment.

Cheers,

Greg

0 Helpful

Pongsatorn Maneesud
Level 1
Level 1
In response to gschmitt.ngit

‎01-03-2013 09:00 AM

Hi Greg,

Can you explain more about your deployment ?

Can you expalin more about the Active Directory Infrastructure in your site ?

What happen when you open your command-line and type "netdom query fsmo" ?

However, this is my working solution for me

I using this command below to fix my issue.

"application configuration ise"

Then I select option 3 to make a static Active Directory setting

Parameter Name: dns.servers  --> not change to anything you think before just type "dns.servers"

Parameter Value: 1.2.3.4  --> Point to your AD IP address

Then select option 5 after that option 4

Hope this help

Regards,

Pongsatorn

0 Helpful

gschmitt.ngit
Level 1
Level 1
In response to Pongsatorn Maneesud

‎01-03-2013 09:58 AM

Hi Pongsatorn,

Thanks for the reply!

I've attached the results of the ISE detailed AD test. As you can see, there is a fair number of domain controllers in the AD forest.

It seems everything works correctly until it gets to testing the AD connectivity on port 3268. Then I get this:

  Testing Active Directory connectivity:

    Global Catalog: pdascdc02.xyz.com

      gc:       3268/tcp - refused

  Testing Active Directory connectivity:

    Global Catalog: pdascdc02.xyz.com

      gc:       3268/tcp - refused

For some reason, the request to the controllers on port 3268 is being refused.

Any thoughts you might have are greatly appreciated.

Cheers,

Greg

140741-ad test showing global catalog failure.txt.zip
0 Helpful
Customers Also Viewed These Support Documents