cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

938
Views
9
Helpful
4
Replies
Arne Bier
VIP Advisor

Does a Monitoring Node need to join AD for any reason?

I have a fully distributed deployment and I don't want to join the Monitoring nodes to the AD - I say No to the question below.

I only want to join the PANs (for the Admin Access) and the PSN's for EAP authentication etc.  I have NOT joined my Monitoring nodes to AD.  What are the implications of doing so?

This morning I see a lot of alarms Alarms.  No details available, but it appears that ISE doesn't like it when a node does no join a domain.  Surely this can't be right/good?

Why do my MNT nodes need to join the AD?

1 ACCEPTED SOLUTION

Accepted Solutions
hslai
Cisco Employee

True, ISE M&T nodes need join to an AD domain, only if using AD to authenticate ISE admin users or if also acting as an PSN.

I would suggest to ignore such alarms, as we can only disable it for all ISE nodes in the deployment as a whole but not for one particular ISE node.

View solution in original post

4 REPLIES 4
hslai
Cisco Employee

True, ISE M&T nodes need join to an AD domain, only if using AD to authenticate ISE admin users or if also acting as an PSN.

I would suggest to ignore such alarms, as we can only disable it for all ISE nodes in the deployment as a whole but not for one particular ISE node.

I don't understand why ISE behaves like this - the user is given the explicit option to either join, or not join an ISE node to the domain. And it seems that as a result of not joining a node he will be rewarded by getting constant alarms.  It's not even a warning or info message - it's an Alarm.  I would expect an Alarm if any of my nodes fell off the wagon trying to join the AD.  But I don't want to see alarms when I made the conscious decision NOT to join.

I will open a TAC case because ignoring errors is something we can afford in lab systems, but not really good practice in production systems.

The workaround would be to join my MNT nodes to all 11 of my domains.  That's not ideal.

I have an idea - if I disable the Alarm ...

That ought to do it.

Sure. That would work, too.

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube