Solved: Hi All,

Mostafa.Ragab · ‎02-26-2017

Hello All,

I have 2 ISE 2.0 nodes in my network and joined to the AD. and I am using the AD server as a NTP server for the ISE nodes.

Two days ago one of the 2 ISE nodes had been dis joined form the AD due to Kerberos failure.

The attached warning appear in my ISE-AD join tests.

Note, The time on both AD and ISE are exactly the same.

Any one have recommendations for what should be done to solve this issue?

Thanks in advance

Mostafa

andrewswanson · ‎02-26-2017

Hi

See the link below for troubleshooting ISE ntp sync issues with MS servers.

hth

Andy

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/119371-technote-ise-00.html#anc4

View solution in original post

andrewswanson · ‎02-26-2017

Hi

See the link below for troubleshooting ISE ntp sync issues with MS servers.

hth

Andy

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/119371-technote-ise-00.html#anc4

Mostafa.Ragab · ‎02-27-2017

Hi

Thanks for your reply, But i need to know how can i access the root mode?

andrewswanson · ‎02-28-2017

It appears only TAC can access root mode on ISE - see link below for a user with a similar issue to you.

hth

Andy

https://supportforums.cisco.com/discussion/12724991/cisco-ise-root-mode

Mostafa.Ragab · ‎03-15-2017

Hi All,

I just want to add a point to andrewswanson answer.

After applying the above solution, the problem was fixed abut when i performed ISE-AD health check the NTP test didn't succeed however it's working fine from the CLI.

Then we found that we are hitting the bug in the below link. So, We applied patch 4 to fix it.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCux82480

ISE 2.0 Clock Skew