How to Join AD to multiple domains

llomjaria · ‎06-05-2024

Hello,

I have ISE 3.2 two node deployment. I have joined them to domain abc.com. ISE uses DNS servers of abc.com domain.

Now I want to join ISE nodes to another independent domain efg.com. I have created host aliases for efg.com pointing IP addresses of efg.com domain controller (ip host 192.168.1.2 efg.com). Ping to efg.com is successful but I am not able to join ISE.

I have started tcp dump on ISE and when I try to join to efg.com it does not send any traffic to efg.com.

This is the result of tests from ISE:

Am I missing something?

Arne Bier · ‎06-05-2024

I am not an AD expert, but if the other efg.com domain is not sharing/exchanging some of its DNS records with abc.com, then ISE (sitting on abc.com?) won't be able to resolve all the DNS records for efg.com (SRV records etc.).

llomjaria · ‎06-06-2024

These two domain controllers are independent of each other, they do NOT have any trust between them.

I want to know how to add second active directory in ISE. I could not find technical information about it.

ccieexpert · ‎06-07-2024

i have done it.. its just like defining the first one... but as Marvin says you need to have DNS resolve both domains..

Marvin Rhoads · ‎06-06-2024

You need configured DNS server(s) that able to resolve all of the second domain's records. Simply putting a host record for the domain controller will not suffice. Look, for example, at all the tests that run during an AD daily health check. Those should be able to pass for both domains.