cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

309
Views
0
Helpful
2
Replies
fkaleem
Cisco Employee

For AD to ISE integration using domain joint, do we need to join all nodes or just the primary node?

Hi All,

For AD to ISE integration using domain joint, do we need to join all nodes or just the primary node?

We have four node currently in our deployment, PAN primary and PAN secondary. MnT Primary and MnT secondary. Then two dedicated PSN.  Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Arne Bier
VIP Advisor

It depends what you're using AD for.  If you need AD for your PSN Policies, then technically speaking, you only need to join your two PSN nodes to the AD domain. However, if you want your ISE node Web Admin logins to use AD then you need to join all the nodes.

One bug I found in this respect is that if you selectively join only a subset of nodes to AD, then ISE will complain bitterly that the remaining ISE nodes have not joined the AD domain.  You can disable this, but then you will not be notified of a real issue with your PSN's if they should have AD issues.

So, my advice is to join ALL the ISE nodes because

1) Web admin to all ISE nodes with controlled AD creds is a good idea

2) Stop the stupid AD 'not-Joined' alarms from occurring

View solution in original post

2 REPLIES 2
Arne Bier
VIP Advisor

It depends what you're using AD for.  If you need AD for your PSN Policies, then technically speaking, you only need to join your two PSN nodes to the AD domain. However, if you want your ISE node Web Admin logins to use AD then you need to join all the nodes.

One bug I found in this respect is that if you selectively join only a subset of nodes to AD, then ISE will complain bitterly that the remaining ISE nodes have not joined the AD domain.  You can disable this, but then you will not be notified of a real issue with your PSN's if they should have AD issues.

So, my advice is to join ALL the ISE nodes because

1) Web admin to all ISE nodes with controlled AD creds is a good idea

2) Stop the stupid AD 'not-Joined' alarms from occurring

Many Thanks Arne for your excellent and timely assistance.

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube