Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1936
Views
5
Helpful
3
Replies

Integration of ISE to AD Per Site

Go to solution
fatalXerror
Level 5
Level 5

‎04-29-2021 05:35 AM

Hi Guys,

I have multiple ADs worldwide and my ISE is located in Los Angeles and when I integrate ISE to my AD domain ("us.example.com"), I want to make sure that it is connecting to my LA AD. 

For me to do this, I need to have SRV record in my DNS right?

Thanks

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to fatalXerror

‎04-29-2021 09:09 PM

When the ISE nodes join the AD domain, they create computer accounts in the domain. This allows the ISE nodes to use Active Directory's built in high-availability and redundancy mechanisms. With an AD-integrated MS DNS server, it automatically builds SRV records based upon the model defined within AD Sites and Services.

Although you might be able to manually create SRV records in DNS (I've never tried it), you should be using AD's built-in mechanisms.

If you're not familiar with the AD functions, I would highly suggest discussing this topic with your AD administrators and referencing my comments around AD Sites and Services.

View solution in original post

3 Replies 3

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎04-29-2021 03:47 PM

It sounds like you're talking about integrating ISE with a single Forest and Domain (join point) and you want the ISE nodes to communicate with the local Domain Controller in LA. Is that correct?

If so, you would do this using AD Sites and Services by ensuring that your DC is associated with a Site and adding the subnet used by the ISE nodes to that Site.

0 Helpful

Go to solution
fatalXerror
Level 5
Level 5
In response to Greg Gibbs

‎04-29-2021 07:57 PM

Hi @Greg Gibbs , thanks for the feedback. Sorry but I cannot understand much in terms of AD terminologies but all I wanted to do is integrate my ISE to my domain (e.g. us.example.com) and I want to make sure that my L.A. AD should be the one to be integrate to my ISE.

My domain (e.g. us.example.com) consist of multiple ADs across the US that is why I want to make sure that my nearest AD will be the one that will be replying back to my ISE in L.A. that is why I was thinking if it is something to do with the SRV record that needs to be configured in the DNS to point the domain controller to L.A.

Thanks

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to fatalXerror

‎04-29-2021 09:09 PM

When the ISE nodes join the AD domain, they create computer accounts in the domain. This allows the ISE nodes to use Active Directory's built in high-availability and redundancy mechanisms. With an AD-integrated MS DNS server, it automatically builds SRV records based upon the model defined within AD Sites and Services.

Although you might be able to manually create SRV records in DNS (I've never tried it), you should be using AD's built-in mechanisms.

If you're not familiar with the AD functions, I would highly suggest discussing this topic with your AD administrators and referencing my comments around AD Sites and Services.

Customers Also Viewed These Support Documents