 
					
				
		
10-17-2016 05:13 PM
We recently had an issue where our primary ip name server's dns stopped responding. However the ISE node did not fail over to the secondary name servers and broke all users in the child domain that was no long resolving. Is there a way to help ISE fail over to secondary name servers for DNS?
We waited for our server team to address the issue and then everything started working.
Thanks!
Solved! Go to Solution.
 
					
				
		
10-24-2016 09:47 AM
Hi Chris
The OS DNS resolver needs to see 'no response' before it will decide to fail over to your secondary. So if you get a response from the primary, but some records are incorrect/missing, it's not smart enough to know it should fail over to the secondary.
Chris
10-17-2016 10:12 PM
ISE should have failed over if there were no DNS response. What version of ISE did you see the behavior? Also, was the primary DNS server truly down as in not responding to DNS request, or is it possible the DNS server was still responding, but without proper response?
 
					
				
		
10-18-2016 09:56 AM
According to our Systems guys the dns zone file was not set up correctly on the primary dns name server for the node.
I was able to traceroute from the node to the domain controller and ping the domain controller but the dns was failing for the child.domain.com.
This was the message that I received from the primary name server
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
The secondary and tertiary dns name servers were set up correctly and provided the correct ip address for the child.domain.com.
In the Active Directory Diagnostic Tool it was unable to locate the domain controller for the child domain in question and all tests failed. Once our system team updated the primary dns server for the node everything started working again.
Very weird behavior indeed.
ISE 2.0.306 patch 3
 
					
				
		
10-18-2016 03:40 PM
There is a difference between the DNS server was misconfigured and the DNS server was down. If the server was up but misconfigured, it is very likely the secondary server would not be used.
George
 
					
				
		
10-24-2016 09:47 AM
Hi Chris
The OS DNS resolver needs to see 'no response' before it will decide to fail over to your secondary. So if you get a response from the primary, but some records are incorrect/missing, it's not smart enough to know it should fail over to the secondary.
Chris
 
					
				
		
10-24-2016 10:51 AM
Hi Chris,
Thank you, that does make sense of how the fail-over works.
Chris
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide