Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1471
Views
9
Helpful
4
Replies

Does a Monitoring Node need to join AD for any reason?

Go to solution
Arne Bier
VIP
VIP

‎07-17-2017 03:53 PM

I have a fully distributed deployment and I don't want to join the Monitoring nodes to the AD - I say No to the question below.

I only want to join the PANs (for the Admin Access) and the PSN's for EAP authentication etc.  I have NOT joined my Monitoring nodes to AD.  What are the implications of doing so?

This morning I see a lot of alarms Alarms.  No details available, but it appears that ISE doesn't like it when a node does no join a domain.  Surely this can't be right/good?

Why do my MNT nodes need to join the AD?

1 person had this problem
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎07-17-2017 04:31 PM

True, ISE M&T nodes need join to an AD domain, only if using AD to authenticate ISE admin users or if also acting as an PSN.

I would suggest to ignore such alarms, as we can only disable it for all ISE nodes in the deployment as a whole but not for one particular ISE node.

View solution in original post

4 Replies 4

Go to solution
hslai
Cisco Employee
Cisco Employee

‎07-17-2017 04:31 PM

True, ISE M&T nodes need join to an AD domain, only if using AD to authenticate ISE admin users or if also acting as an PSN.

I would suggest to ignore such alarms, as we can only disable it for all ISE nodes in the deployment as a whole but not for one particular ISE node.

Go to solution
Arne Bier
VIP
VIP
In response to hslai

‎07-17-2017 04:56 PM

I don't understand why ISE behaves like this - the user is given the explicit option to either join, or not join an ISE node to the domain. And it seems that as a result of not joining a node he will be rewarded by getting constant alarms.  It's not even a warning or info message - it's an Alarm.  I would expect an Alarm if any of my nodes fell off the wagon trying to join the AD.  But I don't want to see alarms when I made the conscious decision NOT to join.

I will open a TAC case because ignoring errors is something we can afford in lab systems, but not really good practice in production systems.

The workaround would be to join my MNT nodes to all 11 of my domains.  That's not ideal.

Go to solution
Arne Bier
VIP
VIP
In response to Arne Bier

‎07-18-2017 10:01 PM

I have an idea - if I disable the Alarm ...

That ought to do it.

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Arne Bier

‎07-20-2017 02:23 PM

Sure. That would work, too.

Customers Also Viewed These Support Documents