Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2171
Views
25
Helpful
4
Replies

How AD and ISE should work in Distributed Deployment?

Go to solution
SaintEvn
Level 1
Level 1

‎10-23-2020 11:09 AM - edited ‎10-23-2020 11:10 AM

Hi,

I have

one ISE (PAN+MNT )Node in DC and
another ISE (PAN+MNT) node in DR .
And I have one AD domain in DC and another AD domain in DR.

 

And I have two node groups deployment for branch sites with each group contain two PSNs.

What I would like to know is that will the two ADs located in both DC and DR  need to integrate with all ISE nodes in order to get redundancy ? (2 PANs and 4 PSNs) 

Will each ISE node need to integrate with both ADs ?


What about I also have another AD deployment where PSN located. Do I still need to integrate that AD with all ISE nodes?

Sorry but I want to know how ISE work with AD in Distributed deployment.

And thank you so much.

1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to SaintEvn

‎10-25-2020 03:41 PM

When ISE joins the domain, it can query any other domains/subdomains within the forest for which there is a two-way trust. If for some reason, there is not a two-way trust for all of the domains/subdomains you need to query, ISE would need to use a separate domain join point for those.

ISE also uses the built-in functions of AD for redundancy and failover of Domain Controllers. Be sure to add the subnets for the ISE nodes to your AD Sites & Services configuration to ensure the ISE nodes query the most efficient Domain Controller.

View solution in original post

4 Replies 4

Go to solution
Aref Alsouqi
VIP
VIP

‎10-25-2020 07:41 AM

I assume you are referring to the same domain name across all those domain controllers. When we join ISE to an AD, we don't specify the IP addresses of the domain controllers, we just specify the domain name, and ISE does a service nslookup in the background to find out the IP addresses of the active directory.

Go to solution
SaintEvn
Level 1
Level 1

‎10-25-2020 09:22 AM

We are using same domain for all sites.

For example,

DC Site >> misys.com (Parent domain)
DR Site >> ybs.misys.com (child domain)
Branch Site1>> yfc.misys.com (child domain)
Branch Site2>>tbc.misys.com (child domain)

What I would like to know is, do I need to join all ISE nodes to all ADs ( both parent domain and child domain)?

DC ISE with all four ADs
DR ISE with all four ADs
Branch ISE with all four ADs

Thank you

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to SaintEvn

‎10-25-2020 10:48 AM

I don't believe you need to use the child domains, it would be enough to join ISE to the parent domain.

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to SaintEvn

‎10-25-2020 03:41 PM

When ISE joins the domain, it can query any other domains/subdomains within the forest for which there is a two-way trust. If for some reason, there is not a two-way trust for all of the domains/subdomains you need to query, ISE would need to use a separate domain join point for those.

ISE also uses the built-in functions of AD for redundancy and failover of Domain Controllers. Be sure to add the subnets for the ISE nodes to your AD Sites & Services configuration to ensure the ISE nodes query the most efficient Domain Controller.

Customers Also Viewed These Support Documents