Solved: ISE 1.2 Active Directory Question

ALAN MURRAY · ‎05-13-2014

Hi,

I have a question regarding using Active Directory as an External Identity Source.

Our customer has 4 AD servers in their domain and thus 4 DNS entries for the domain. When I join ISE to the domain DNS resolves to one address and uses that machine to perform the join operation. What happens if the machine subsequently fails - does my ISE node need to leave and then re-join the domain or is this handled by some other method?

Thanks

Alan

M. Wisely · ‎05-14-2014

Assuming that they're part of the same AD domain ISE will learn all of the DCs in the domain and you'll likely find after a while that it has moved to a different DC. We have over 100 DCs in our domain and it works just fine, no intervention is required to get it to connect to a different DC if the one it's connected to disappears.

View solution in original post

Saurav Lodh · ‎05-13-2014

In case of any failure, you should always leave and re join

M. Wisely · ‎05-14-2014

Assuming that they're part of the same AD domain ISE will learn all of the DCs in the domain and you'll likely find after a while that it has moved to a different DC. We have over 100 DCs in our domain and it works just fine, no intervention is required to get it to connect to a different DC if the one it's connected to disappears.

ALAN MURRAY · ‎05-14-2014

Thanks to all who have replied. It appears we have two correct answers so for my own piece of mind I'm going with the one from martinwisely2 - it suits my purposes at this stage. Needless to say I shall test this before putting into production.

Once again many thanks.

Alan

kaaftab · ‎05-15-2014

yes you can join AD if any issue come but for same domain. As currently ISE is does not support multi domain features which are expect in future release and you can manage in current version through trust relation.

***********Do rate Helpful posts*******************