Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1939
Views
5
Helpful
3
Replies

Edit Active Directory Join in Cisco ISE v2.4

Go to solution
Mike Pennycook
Level 1
Level 1

‎03-23-2020 07:39 AM

Hi there,

 

We have ISE configured with an active directory (external identity source) join, which we use in our AAA rules.

 

The AD join points to a single domain controller for the ad domain.

 

We are now updating to new domain controllers and need to update the server that this AD join is pointing to. 

 

Can anyone help to identify where the domain controller can be updated? I dont see anywhere to edit the specific connection details. If I create a different AD join, then it says I cant have a duplicate AD join for the same domain. 

 

Many thanks for your help

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to Mike Pennycook

‎03-25-2020 12:01 AM

The Domain Controller that ISE communicates with should be controlled by the Sites configuration (found in AD Sites & Services) in your Domain. If you do not add the subnet for the ISE nodes to your Sites configuration, the DC that ISE chooses will be largely random. You can see this is the case as ISE shows the 'Default-First-Site-Name'

Best practice is to configure your AD Sites such that the ISE nodes communicate with the most efficient (typically the closest) DC. When you update your AD Sites configuration, ISE will automatically begin talking to the proper DC. If that DC becomes unavailable, ISE leverages the built-in HA capabilities of AD to select another DC.

 

Cheers,

Greg

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Mike Pennycook
Level 1
Level 1

‎03-23-2020 08:22 AM

Please see the attached picture of the location in ISE that I'm referring to

 

Thanks

Preview file
111 KB
0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to Mike Pennycook

‎03-25-2020 12:01 AM

The Domain Controller that ISE communicates with should be controlled by the Sites configuration (found in AD Sites & Services) in your Domain. If you do not add the subnet for the ISE nodes to your Sites configuration, the DC that ISE chooses will be largely random. You can see this is the case as ISE shows the 'Default-First-Site-Name'

Best practice is to configure your AD Sites such that the ISE nodes communicate with the most efficient (typically the closest) DC. When you update your AD Sites configuration, ISE will automatically begin talking to the proper DC. If that DC becomes unavailable, ISE leverages the built-in HA capabilities of AD to select another DC.

 

Cheers,

Greg

0 Helpful

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni

‎03-24-2020 12:06 PM

Hi,

 

    As long as you keep the AD schema and database, and just add new AD domain controllers, or add new servers and FSMO roles, you'll have no worries. Just ensure that the DNS servers configured on ISE, point to your DNS servers from the AD.

 

Regards,

Cristian Matei.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents