Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3332
Views
1
Helpful
11
Replies

help, error connection Cisco Identity Services Engine with AD.

JERRI -
Level 1
Level 1

‎05-26-2013 07:43 PM - edited ‎03-10-2019 08:28 PM

Dear all,

I have Cisco Indentity Services Engine, that  connected to Active Directory. When I test connection detailed,

the result is error, said:

Test Connection Results

This dialog shows the detailed logs for the operation for: idsv0018.

Status: FAILED: Global Catalog port status error.

Can anyone help?

I believe,  because this error, I can't search group of AD, at Cisco ISE.

FYI: the connection from Cisco ISE to AD, joined with successful result.

Thanks,

Jerri

Labels:
0 Helpful
11 Replies 11

Leo Laohoo
Hall of Fame
Hall of Fame

‎05-26-2013 08:03 PM

Duplicate posts. 

0 Helpful

Ravi Singh
Level 7
Level 7

‎05-26-2013 08:31 PM

Yes leolaohoo is correct this error occur due to duplicate port. Please check the port setting.

JERRI -
Level 1
Level 1
In response to Ravi Singh

‎05-26-2013 08:34 PM

Hi Ravi,

Where i should check my port setting?

fyi,

leolaohoo said duplicate post, not duplicate port.

thks,

Jerri

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee

‎05-27-2013 12:18 AM

Can you do nslookup from the ISE CLI.

Was this working before and you rebooted your GC and after that you started seeing issue.

In your DNS settings can you see global catalog in the Forward Lookup Zone?

Jatin Katyal
- Do rate helpful posts -

~Jatin
0 Helpful

JERRI -
Level 1
Level 1
In response to Jatin Katyal

‎05-27-2013 12:32 AM

Hi Jatin,

Thanks for the reply.

yes, we can do nslookup from ise cli.

this problem already appear from the first time i try to test detail  AD from CISE.

I can't retreive group of my AD, because of this.

where section, that i can see my global catalog in my DNS windows server?

Thks,

Jerri

0 Helpful

JERRI -
Level 1
Level 1
In response to Jatin Katyal

‎05-29-2013 07:32 PM

do anyone having a same problem when integrating AD multidomain with Cisco ISE?

0 Helpful

askhuran
Level 1
Level 1

‎05-27-2013 04:57 AM

Hello Jerri,

Please follow these steps:
1.    Make sure that ISE can connect to the Global Catalog (by Default  it is Domain Controller) on the following ports (see table below)
2.    Check Windows Event Viewer > System Events on your Domain  Controller and locate any errors / warning. Note down Event ID
3.    If there are any errors, other client computers in your AD domain  are likely to experience problems locating User groups, Printers etc.
4.    If the above steps are confirmed, then you need to fix  .msdcs.ad-domain.xyz and the records, on your primary DNS (Master Domain  Controller by default)
5.    To fix those records, you may refer to the following link for more  guidance on how to do it. Or your Windows AD Administrator should  fix it

How DNS Support for Active Directory Works
http://technet.microsoft.com/en-us/library/cc759550

Otherwise let me know about the detail on Event IDs you notice in your Windows Event Viewer

Service Name

UDP

TCP

LDAP


3268 (global catalog)

LDAP


3269 (global catalog Secure Sockets Layer [SSL])

LDAP

389

389

LDAP


636 (SSL)

RPC/REPL


135 (endpoint mapper)

Kerberos

88

88

DNS

53

53

SMB over IP

445

445

0 Helpful

JERRI -
Level 1
Level 1
In response to askhuran

‎05-29-2013 02:04 AM

1. telnet from cise to AD server with port (all port in the table), can connected.

2. no error related to AD in the system events

3. users can locate printer, and others objects in the AD, and no problem with login (if GC problem, i think, login to domain, will also be problem)

4. DNS server

there is _gc (SVR type) in the

.msdcs.ad-domain.xyz -> gc -> sites -> name of the sites -> _tcp

But no_gc file (SVR type) in the

ad-domain.xyz at DNS server. folder _tcp.

so, i making this files.

But, still can't connect / find the GC / GC port status error , when detailed test in the Cisco ISE.

FYI, we have multiple domain in this company.

Didn't know what could be the problem, but

do you guys know how to repair GC in the AD?

0 Helpful

JERRI -
Level 1
Level 1
In response to JERRI -

‎05-29-2013 07:33 PM

do anyone having a same problem when integrating AD multidomain with Cisco ISE?

0 Helpful

JERRI -
Level 1
Level 1
In response to askhuran

‎05-29-2013 07:55 PM

do anyone having a same problem when integrating AD multidomain with Cisco ISE?

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to JERRI -

‎05-30-2013 02:02 AM

It's clears that when ISE tries to find the GC using the _gc._tcp. DNS query. It doesn't find that information on the Domain controller. The GC information is missing on the DC.

_

gc._tcp.DnsForestName

Allows a client to locate a Global Catalog (gc) server for this domain.

Jatin Katyal
- Do rate helpful posts -

~Jatin
0 Helpful
Customers Also Viewed These Support Documents