Identify and change ISE 2.3 AD service account

ritch.rob · ‎03-01-2018

I inherited an ISE 2.3 system mid build. the PANS and some of the PSNs were joined to AD prior to me inheriting the system. The problem that I have is that I do not know what AD account was used to join these to the domain. Last night the service account that I used to join the additional PSNs expired so those PSNs had to be rejoined to the domain, but the previous ones did not. Based on that, my suspicion is that they were joined with a different account. Is there a way to identify what account they were joined with? I have looked through the ad_agent log, but it does not appear to show the account information.

Secondly, what is the process and impact of changing the account? I am assuming that I will need to leave the domain and then rejoin the domain with the proper service account. What would be the impact of doing this? Unfortunately it will be the primary PAN and our primary as well as first backup PSN that I will need to do this. The second and third backup PSNs (4 PSN total) and the backup PAN are using the correct AD service account.

Ben Walters · ‎03-01-2018

You could possibly find the account that added the ISE server to AD if your AD has auditing enabled. Other than that I don't think you can see that information in ISE itself.

To change the account, yes you would have to have the ISE nodes leave and rejoin the domain. This shouldn't have an impact on AD functionality in ISE as long as your other nodes are joined to the domain, which they are. Although with a change like this we would probably do it off hours anyway or schedule an outage window just to limit end user impact if something did go wrong during the process.