ā08-14-2017 07:20 AM
Good day, Colleagues
We would like to add new AD in External Identity Source, but this AD didn't resolved by DNS
Cisco Documentation says:
<snip>
Cisco ISE also provides the ability to define a list of preferred DCs per domain. This list of DCs will be prioritized for selection before DNS SRV queries. But this list of preferred DCs is not an exclusive list. If the preferred DCs are unavailable, other DCs are selected. You can create a list of preferred DCs in the following cases:
The advanced tuning feature provides node-specific changes and settings to adjust the parameters deeper in the system. This page allows configuration of preferred DCs, GCs, DC failover parameters, and timeouts
</snip>
But no any information how to do this list. Is it possible ?
Solved! Go to Solution.
ā08-14-2017 09:04 AM
Defining the preferred DC list using the registry keys is not going to help with this.
If ISE deployment using multiple domains without trust, the DNS servers configured in ISE need to able to resolve all the AD domain records and use multiple join.
In our training labs, I used stub zones
It's also possible to use conditional forwarding, etc.
ā08-14-2017 07:41 AM
The Admin Guide is clear that this should only be used during a support case:
Cisco ISE 2.1 Admin Guide on AD Advanced Tuning
If you poke around long enough, you'll find it at:
With these configurable parameters:
Having said that, I highly encourage you to work through TAC to set the parameters correctly.
ā08-14-2017 07:48 AM
Thanks a lot.
As I said in topic we knows where this may be done but didn't know how to do this.
What parameters and values can be used for this list.
TAC is puzzled already but without susccess yet
ā08-14-2017 07:52 AM
Please provide the TAC case number, if possible.
ā08-14-2017 07:56 AM
Here is SR 682828830
It seems, our customer has two different DCs without trust relationships.
ā08-14-2017 09:04 AM
Defining the preferred DC list using the registry keys is not going to help with this.
If ISE deployment using multiple domains without trust, the DNS servers configured in ISE need to able to resolve all the AD domain records and use multiple join.
In our training labs, I used stub zones
It's also possible to use conditional forwarding, etc.
ā08-15-2017 01:19 AM
Thanks for your reply. I suspected this. It remains only to understand why preferred DC list need and why cisco doc indicate the following:
. You can create a list of preferred DCs in the following cases:
* The DNS configuration is wrong or cannot be edited.
This only confuses us.
ā08-14-2017 07:50 AM
Adding to Charles.
The proper way to define the preferred DCs is use Microsoft AD Sites and Services.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide