Solved: Re: Domain name is not unique in the deployment for edit??

matt-blackwell · ‎11-21-2018

Hi guys,

I need some advice if possible. I have a lab set up with a standalone virtual ISE deployment running on ESXi 6.0, with one domain controller set as an external identity store. I have wired/wireless dot1x configured and I'm just about to dip my toe into BYOD wired dot1x on-boarding lab but I've have hit a brick wall with adding a new AD group. When I try and add a new AD user group to the existing group list or make any changes at all to the Active Direct Scope_Default I get an error saying "Domain name is not unique in the deployment for edit" I've looked around on the web but can't see anyone with the same issue! Any help would be appreciated. The only that I have in mind that could of caused an issue is when I messed with the ISE Wireless Setup is beta software.

Version 2.2.0.470

Product Identifier (PID) SE-VM-K9

Version Identifier (VID) V01

Serial Number (SN) SA5EBLDNOB6

ADE-OS Version 3.0.2.218

Thanks

Matt

matt-blackwell · ‎11-26-2018

Just in case someone else come across this problem.

I solved this myself by removing the Scope_Default/AD server from the "identity source sequences" and all of the Authentication/Authorisation polices where the objects were referenced. Once that was completed I exited scope mode which in turn placed the AD controller in the correct external identity sources directory tree. I removed the AD groups under the "Group" tab clicked on the "leave" button under the "connections" tab. I was then able to re-join the AD server and add the necessary AD groups and then re-added the AD server to the identity source sequences, and policies etc. This turned out to be a bit of a time thief! What perplexes me is how I managed to put my AD server into Scope Mode folder to begin with?

View solution in original post

Arne Bier · ‎11-21-2018

Do you manually add the Group name, or select from Directory lookup?

I have never seen this but then again I have never used Scopes either.

Since you only have one domain controller, have you tried creating a new Join Point, (call it ATDC01a) and then don't use scopes and see if it's any different?

A single Domain Controller in a Scope is no different to not using Scope at all.

matt-blackwell · ‎11-21-2018

Hi Arne,

The group is from a directory lookup. Come to think of it I have no idea how I came to using scopes and not entirely sure what scopes are for?

OK I see what your saying I just noticed the button that says "exit scope mode" however because it referenced in the config I have to reverse engineer it before moving the join-point back to the active directory folder...the plot thickens!

Thanks

Matt

matt-blackwell · ‎11-26-2018

Just in case someone else come across this problem.

I solved this myself by removing the Scope_Default/AD server from the "identity source sequences" and all of the Authentication/Authorisation polices where the objects were referenced. Once that was completed I exited scope mode which in turn placed the AD controller in the correct external identity sources directory tree. I removed the AD groups under the "Group" tab clicked on the "leave" button under the "connections" tab. I was then able to re-join the AD server and add the necessary AD groups and then re-added the AD server to the identity source sequences, and policies etc. This turned out to be a bit of a time thief! What perplexes me is how I managed to put my AD server into Scope Mode folder to begin with?

jebanks · ‎08-03-2023

@matt-blackwellcan you elaborate a little more when you say you removed the Scope_Default/AD server from the "Identity source sequences"

jebanks · ‎08-03-2023

Are you talking about this portion