Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1102
Views
5
Helpful
4
Replies

Domain Controller Replication

Go to solution
sdfgdfgfddfdfgdf
Level 1
Level 1

‎05-16-2019 07:49 AM

Hi,

 

Hoping someone can help.

 

I'm currently working through a pxe boot and automated computer building setup.

Once the OS is built and joins the domain, it is unable to authenticate without a reboot some 15mins later.

 

This appears to be because the computer is joined to the on-site campus Domain Controller.

ISE is joined to the domain, but by a Domain Controller in the datacentre.

So ISE is unable to find the Computer account in AD until replication has occurred between Domain Controllers.

By which point, the switch has failed over to MAB and given limited access via a DACL.

 

Is there anyone with experience of this kind of problem?
Any way that we can get ISE to work through a list of all campus Domain Controllers as well?

 

Any help, much appreciated :)

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
craig.beck
Level 1
Level 1

‎05-16-2019 08:08 AM

This is an AD issue really. ISE will use whichever Domain Controller it is told to use by DNS, as per the AD Sites & Services configuration. Because the local Domain Controller and the DC Domain Controller are in different sites, automatic replication occurs every 15 mins (minimum value).

 

There are ways this could be manipulated. For example, if you use a specific VLAN/subnet to build machines, that subnet could be added to the DC site in AD Sites & Services rather than the local site, so the computer account would be created on the same Domain Controller that ISE queries (or one in the same site, so replication would be nearly instant). This may or may not be practical though, depending on various factors.

View solution in original post

Go to solution
craig.beck
Level 1
Level 1
In response to sdfgdfgfddfdfgdf

‎05-28-2019 03:13 AM - edited ‎05-28-2019 03:14 AM

No probs!

 

The only issue I can see that might come of that is if the computer uses the local Domain Controller for anything within the first 15 minutes of joining.

 

The computer will join the domain using the DC Domain Controller, and that will probably allow network-level authentication without an issue, however the computer may still be told to use the site-local Domain Controller for Windows domain services. If AD replication hasn't occurred for the first 15 minutes you may still have issues with logon events, GPO application, etc. as the site-local Domain Controller won't know about the computer's machine account yet.

 

I'd test it to see what happens.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
craig.beck
Level 1
Level 1

‎05-16-2019 08:08 AM

This is an AD issue really. ISE will use whichever Domain Controller it is told to use by DNS, as per the AD Sites & Services configuration. Because the local Domain Controller and the DC Domain Controller are in different sites, automatic replication occurs every 15 mins (minimum value).

 

There are ways this could be manipulated. For example, if you use a specific VLAN/subnet to build machines, that subnet could be added to the DC site in AD Sites & Services rather than the local site, so the computer account would be created on the same Domain Controller that ISE queries (or one in the same site, so replication would be nearly instant). This may or may not be practical though, depending on various factors.

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to craig.beck

‎05-16-2019 08:50 AM

@craig.beck i agree

 

It woud be beneficial for them to look at cisco live chris Murray information on active directory http://cs.co/ise-training and http://cs.co/ise-guides

https://community.cisco.com/t5/security-documents/ise-security-ecosystem-integration-guides/ta-p/3621164#toc-hId-496604990

 

 

0 Helpful

Go to solution
sdfgdfgfddfdfgdf
Level 1
Level 1
In response to craig.beck

‎05-28-2019 01:34 AM - edited ‎05-28-2019 01:35 AM

Thanks Craig,

Scripting the computer domain join part, to be against the DC Domain Controller, may have fixed our issue.

Also, the video link has been a useful insight, and certainly flags up a few things we need to keep aware of.

0 Helpful

Go to solution
craig.beck
Level 1
Level 1
In response to sdfgdfgfddfdfgdf

‎05-28-2019 03:13 AM - edited ‎05-28-2019 03:14 AM

No probs!

 

The only issue I can see that might come of that is if the computer uses the local Domain Controller for anything within the first 15 minutes of joining.

 

The computer will join the domain using the DC Domain Controller, and that will probably allow network-level authentication without an issue, however the computer may still be told to use the site-local Domain Controller for Windows domain services. If AD replication hasn't occurred for the first 15 minutes you may still have issues with logon events, GPO application, etc. as the site-local Domain Controller won't know about the computer's machine account yet.

 

I'd test it to see what happens.

0 Helpful
Customers Also Viewed These Support Documents